HomeDocumentationAPI Reference
Log In
These docs are for v31. Click to read the latest docs for v33.

Release Notes for This Release

Suggest Edits

31.3

2024-03-27

PrivX 31.3 is an incremental release with security and bug fixes.

31.2

2024-01-10

PrivX 31.2 is an incremental release to address the Terrapin vulnerability. The fix includes the following changes:

  • PrivX SSH Proxy and SSH Bastion enable the OpenSSH strict KEX protocol extension when the target server and client express support for it during the initial KEX exchange.
  • [email protected] algorithm is removed from the sets of default sshtarget and sshclient ciphers.
  • [email protected] and [email protected] algorithms are removed from the sets of default sshtarget and sshclient macs.

It is possible to revert to using the vulnerable algorithm combinations by editing the /opt/privx/etc/ssh-algorithms.toml file. This is not recommended unless you are certain that all target servers and clients, that PrivX communicates with, support the OpenSSH strict KEX protocol extension.

31.1.1

2023-10-12

This minor release fixes Carrier browser images(chromium, chromium_lite, firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.

This example shows how to upgrade the Chromium container image on PrivX Carrier 31.1

docker pull public.ecr.aws/sshprivx/privx_browser_chromium:31.1.1
docker tag public.ecr.aws/sshprivx/privx_browser_chromium:31.1.1 public.ecr.aws/sshprivx/privx_browser_chromium:31.1

You don't need to restart PrivX Carrier after the commands.

31.1

2023-09-21

PrivX 31.1 is an incremental release on top of PrivX 31.0 with security and bug fixes

  • [PX-6244] Channel may get closed in ssh-mitm exec connections before the output is sent to client

31.0

2023-09-04

PrivX 31.0 is a maintenance release focused on technical enhancements.

Important Notes for This Release

Azure-Directory Migration to MS Graph

If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to this release. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:

Microsoft Graph→Application Permissions

  • User.Read.All
  • GroupMember.Read.All

Azure AD Graph API was deprecated in June 2023.
https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview

For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.

Required actions to optimize PrivX performance

As part of our ongoing effort to optimize PrivX performance, we have introduced additional indexing support from PrivX 28. Some improvements require pg_trgm extension to be installed to the PrivX database. For more information about enabling indexing, see Improve Performance with Indexing before upgrade.

Deprecation Warnings

Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please change notification mechnism to PostgreSQL if your PrivX still uses Redis for notifications.

PostgreSQL 9.x and 10.x Support Ending

PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions shall be dropped in a future PrivX release. For more information about upgrading the PrivX database, see Upgrade PrivX Database to Supported Version.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

privx-cmd and PrivX agent support for old Windows versions ending

privx-cmd and agent released after Q3/2023 may not support Windows 7, 8, Server 2008 and Server 2012. If you use native ssh client on Windows by connecting directly using privx-cmd, or Windows version of PrivX agent, please update your Windows.

Supported releases and upgrade path

After this release, we provide security and stability fixes for PrivX 31.x, 30.x, and 29.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (30.x, 29.x, 28.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New Features

Improvements

  • [PX-4820] Show progress while fetching lots of users/hosts from directories
  • [PX-5874] Support database certificates in Kubernetes
  • [PX-5978] Deployment script supports "--offline" option
  • [PX-5156] Carrier container follows user browser's timezone
  • [PX-5925] Hosts in unusable statuses are filtered out from import
  • [PX-6041] [email protected] is supported and added to ssh-algorithms.toml
  • [PX-6047] In an active connection in web client, pressing Ctrl-w does not close connection abruptly
  • [PX-6160] Support additional Graph API attributes for attribute mapping
  • [PX-6143] Improved UX for multiple files uploading
  • [PX-6129] web-proxy: domain pattern based certificate validation error suppression
  • [PX-6132] web-proxy: proxy chaining support with http connect and SOCKS proxies
  • [PX-6146] [PX-6105] web-proxy: internal enhancements to ssl bumped certificate generation
  • [PX-6162] web-proxy: support legacy x.509 certificates

Bug fixes

  • [PX-4411] RDP-PROXY: "Default access group not found" warning on manual connection for no reason
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-5076] Housekeeping task to delete inactive user data doesn't work with a lot users
  • [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
  • [PX-5786] Empty trail folders left after housekeeping
  • [PX-5875] Incorrect message when SSO session expired when login to PrivX UI
  • [PX-5943] nginx default.conf in /etc/nginx/conf.d overrides privx.conf
  • [PX-5968] Disclaimer popup and preview issues
  • [PX-5979] Host tags are returned in random non-deterministic order
  • [PX-6016] Missing end slash in connection url will cause web connection to fail
  • [PX-6027] The UI suggests the wrong role mapping example when a Graph directory is selected
  • [PX-6073] Deleting user directory does not clean up role mapping rules.
  • [PX-6075] Typo in PrivX sshexec router README file
  • [PX-6094] MFA tokens can be overwritten in cases of DB connectivity issues
  • [PX-6136] Trails for active SSH connections may be corrupted when ssh-proxy is stopped
  • [PX-6139] Health check status for web services is broken if the host has other services configured
  • [PX-6185] Connection-manager search API with sortKey "id" returns BAD_REQUEST.

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:
 
      # scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5558] Privx does not support password change required option for user in auth flow via passkey.
  • [PX-6261] Revoking default access group initial CA in HA env doesn't remove its key from all nodes
    • Workaround 1: Leave the old CA key. Once a new key has been set as the primary CA key, the old one should not adversely affect PrivX functionality.
    • Workaround 2: Revoke the old CA key from Administration->Access Groups, then run the following command on each PrivX Server: 
      /opt/privx/bin/keyvault-tool -name "PrivX CA Key" delete-asymmetric
      Verify the key was deleted: 
      /opt/privx/bin/cert-tool -command list -type authorizer-ca -short | grep "OU=PrivX Authorizer CA/" | cut -f 4
      The key was deleted successfully if the previous command outputs nothing. If the command returned a UUID, run the following command once on any PrivX Server (replace <cert_id> with the output of the previous command): 
      /opt/privx/bin/cert-tool -command delete -id <cert_id>
  • [PX-6284] RDP-PROXY connectivity broken for legacy ciphers TLS 1.2 and TLS 1.1/TLS 1.0

Updated about 1 month ago