Release Notes for This Release

32.3

2024-03-27

PrivX 32.3 is an incremental release with security and bug fixes.

32.2

2024-01-10

32.2 is an incremental release to address the Terrapin vulnerability. The fix includes the following changes:

PrivX SSH Proxy and SSH Bastion enable the OpenSSH strict KEX protocol extension when the target server and client express support for it during the initial KEX exchange. chacha20-poly1305@openssh.com algorithm is removed from the sets of default sshtarget and sshclient ciphers. hmac-sha2-512-etm@openssh.com and hmac-sha2-256-etm@openssh.com algorithms are removed from the sets of default sshtarget and sshclient macs. It is possible to revert to using the vulnerable algorithm combinations by editing the /opt/privx/etc/ssh-algorithms.toml file. This is not recommended unless you are certain that all target servers and clients, that PrivX communicates with, support the OpenSSH strict KEX protocol extension.

32.1.1

2023-12-05

This minor release fixes Carrier browser images(chromium, chromium_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.

This example shows how to upgrade the Chromium container image on PrivX Carrier 32.1

# docker pull public.ecr.aws/sshprivx/privx_browser_chromium:32.1.1
# docker tag public.ecr.aws/sshprivx/privx_browser_chromium:32.1.1 public.ecr.aws/sshprivx/privx_browser_chromium:32.1

32.1

2023-12-01

32.1 is an incremental release that fixes some performance and stability issues found in 32.0.

Bug Fixes

-[PX-6334] User login timestamp is updated more often than necessary -[PX-6364] Trail integrity housekeeping improvement -[PX-6387] workflow-engine spams rolestore -[PX-6464] panic in secrets-manager

32.0

2023-11-23

Important Notes for This Release

Update to API Roles Parameters

The Role-Store API has been updated for managing user roles in the /role-store/api/v1/users/{user_id}/roles endpoint, affecting both GET and PUT requests. The method for defining validity periods for time-limited roles has changed. Previously, these periods were set using grant_start and grant_end attributes in the root object. Now, they are specified within the grant_validity_periods array, which supports multiple time ranges.

See API specification

Monitor-service instance status endpoint at /monitor-service/api/v1/instance/status used for load balancer status checks is no longer returning JSON body for unauthenticated requests. Status codes (200 for OK, 500 for instance down) still remain the same and should be used for LB health checks.

PostgreSQL 9.x and 10.x Support Ended

PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and official support for these database is ended from this release. To upgrade the PrivX database, see Upgrade PrivX Database to Supported Version.

Preserve Custom Browsers when Updating Carrier Configuration

If you use a custom-browser image, and upgrade Carriers and their configurations, ensure that your custom-browser image is specified in the Carrier configuration carrier-config.toml. The name of the custom-browser image must be specified in the default setting under the [web_browsers] section.

Rocky Linux/RHEL 9 official support added and CentOS/RHEL 7 support Ending

CentOS 7 and RHEL 7 will reach end of life on June 30, 2024. PrivX aims to end installation support for these platforms on the same timeline. Starting from PrivX 32, Rocky Linux 9 and RHEL 9 are officially supported. See Migrate from EOL Operating Systems.

Deprecation Warnings

Redis Support Ending
Redis support will be ended in a future release. We recommend you change to PostgreSQL for PrivX microservice notifications. Please change notification mechanism to PostgreSQL if your PrivX still uses Redis for notifications.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

privx-cmd and PrivX-Agent support for old platforms ending

privx-cmd and agents released in PrivX v33 and later may not support old platforms:

  • Windows 7, 8, Server 2008 and Server 2012.
  • MacOS versions 10.14 and older.

If you use agents or privx-cmd for enabling native-client connections, ensure that the users' OS is updated.

Supported releases and upgrade path

After this release, we provide security and stability fixes for PrivX 32.x, 31.x, and 30.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (31.x, 30.x, 29.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New Features

  • [PX-2314] VMWare vSphere as a supported host directory.
  • [PX-3940] Session-Password Authentication, which allows OIDC login for native RDP/DB connections.
  • [PX-4299] Support for granting multiple validity periods for the same user role via workflows.
    Note that such requests must be requested and approved one at a time.
  • [PX-5418] Multi-Factor Authentication with PrivX Authorizer, a mobile app developed by us.
  • [PX-6142] Dark mode GUI support.
  • [PX-6174] Exporting List Data to CSV or JSON.
  • [PX-6176] Options to omit clipboard and/or file transfers from session recordings.
  • [PX-6273] Initiate connections to target host straight from the host configuration page. Useful for testing connections.
  • [PX-5215] UI shows file upload status on terminal view
  • [PX-5778] UDP protocol support for network targets through Extender
  • [PX-6165] Option to configure web service specific browser version for Carrier connections

Improvements

  • [PX-5630] Password Rotation automatic selection of operating system
  • [PX-6088] ssh-algorithms.toml: prefer aes256 over aes128 ciphers.
    • diffie-hellman-group1-sha1 SSH kex algorithm was dropped from default algorithms. The cipher suite can be re-enabled from ssh-algorithms.toml.
  • [PX-6247] Increase the max file transfer size limit for web connections
  • [PX-6251] web-proxy: allow server responses to take longer than 60 seconds to complete
  • [PX-6389] UI pagination loading improvement
  • [PX-6208] AWS directory does not stop scanning other regions if one region fails. Added region filter feature for cloud host directories.

Bug fixes

  • [PX-5763] Error code for missing workflow step name is incorrect
  • [PX-6086] Fixed Carrier Chromium browser startup issue
  • [PX-6153] PrivX Web-Proxy in HA doesn't do the failover.
  • [PX-6158] PrivX Carrier browsers - dial down the policies to allow viewing HTTPS certificate for web site
  • [PX-6173] Renaming role does not work correctly
  • [PX-6175] SSH Proxy crash issue fixed
  • [PX-6177] OIDC userinfo endpoint does not obey TLS trust anchors file in shared-config
  • [PX-6178] File upload cookies are not expired when the upload request happens.
  • [PX-6187] Incorrect error shown in logs when deleting key on HSM environment
  • [PX-6224] Using role name with space causes issues with Chrome container
  • [PX-6235] Problem with alt key capturing in web session.
  • [PX-6254] Disabling urlbar and navibar doesn't work for Carrier Chromium
  • [PX-6284] RDP-PROXY connectivity broken for legacy ciphers TLS 1.2 and TLS 1.1/TLS 1.0.

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

      # scp -i key.pem principals_command.sh user@target:/tmp/
      # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

  • [PX-4352] UI shows deleted local user after delete

  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

  • [PX-4689] PrivX Linux Agent leaving folders in /tmp

  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

  • [PX-5558] Privx does not support password change required option for user in auth flow via passkey.

Was this page helpful?