Release Notes for This Release

37.0

2024-11-27

37.0 is a major release with new features.

After this release, we provide security and stability fixes for PrivX 37.x, 36.x, and 35.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Supported upgrade paths to this release are:

• Upgrade with downtime: 34.x, 35.x, 36.x
• Zero-downtime upgrade: 36.x

Important Notes for This Release

PrivX LTS (long-term support) is coming soon We are planning to release the PrivX LTS version soon. We are committed to provide 2-year support for each PrivX LTS release. The first LTS version will be based on PrivX 36, so please do not upgrade to PrivX 37 if you choose the LTS path.

Read more: PrivX LTS (long-term support) Introduction

Retaining SID extensions in RDP-certificate authentication

In PrivX 36, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. In PrivX 37, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.

If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade to 37:

Option 1: Configure before upgrade

Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.

1. Gain root terminal access to any PrivX Server, add the following lines right after the AUTHORIZER.logging section in /opt/privx/etc/settings-default-config.toml:

   [AUTHORIZER.ca_settings]
   rdp_x509_include_sid = true

2. Apply the new settings with:

   sudo /opt/privx/bin/settings-tool -command migrate

   RDP-certificate authentication will work as normal throughout the upgrade process.

Option 2: Configure after upgrade

If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.

1. After upgrade to 37, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.

   Save your changes. RDP-certificate authentication should function normally again.

Upgrade not supported with old PostgreSQL versions

You cannot upgrade to PrivX 35, 36, or 37 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.

Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.

If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.

Increased upgrade duration

Upgrading to this version from PrivX 35 or older may take somewhat longer, especially in environments with many hosts and principals. The information for connections (disconnected prior to the upgrade) under the Monitoring page might not appear for some time (proportionally longer based on the amount of data).

Deprecation Warnings

New Go SDK to replace old version

This will be the final major release of Go SDK V1.

Starting with the upcoming Version 2.38.0, the SDK will introduce significant changes, including breaking backward compatibility.

We will continue to provide critical bug fixes for Version 1, there will be no new features or support for PrivX versions greater than 37 in this version.

Pure whitespace names disallowed

From version 37 and onward PrivX no longer be able to create items whose names consist purely of spaces. Also, you will be unable to update such items until their names are changed to contain some visible character(s).

agent-proxy Deprecation Imminent

The agent-proxy functionality shall be removed in PrivX versions 38 and later.

The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.

Amazon Linux 2 support Ending

PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.

PostgreSQL 11.x Support Ending

PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

New Features

• [PX-3390] - Allow updating Extenders via the PrivX GUI
• [PX-4467] - Support CipherTrust Manager as HSM Provider
• [PX-6617] - Carrier browser configuration under target-hosts' Services configuration
• [PX-6684] - Rotating Extender, db-proxy, Web-Proxy CA certificates via the PrivX GUI
• [PX-6977] - UI: target domain account and managed account support search
• [PX-7124] - Configurable "Scrollback Length" for SSH web client
• [PX-7032] - role-store: OIDC/SCIM attribute mapping supports windows_sid
• [PX-7040] - Configurable idle timeout for Carrier web connections

Improvements

• [PX-3172] - New Audit Rate Limiting setting for reducing duplicate audit events.
  • Applies to Host-modified, RoleContext-usage-alert, and Directory-authentication-failed audit events.
• [PX-3405] - Deploy script support for Oracle Linux
• [PX-6428] - privx.conf is no longer overriden by each upgrade.
• [PX-6873] - Target domains for host accounts can be configured via tags or deploy script
• [PX-7089] - You can no longer create target domains with duplicate names.
  • On upgrade to this version, target domains with duplicate names will be automatically renamed e.g. from "td_name" to "td_name (1)".
• [PX-7012] - Refactored role-store node cache sync mechanism
• [PX-7036] - Clearer message when restart PrivX via webUI and number of active connections is unknown
• [PX-7042] - Allow host management without target-domain permissions.
• [PX-7059] - Host accounts: a deleted target domain is now shown as (deleted) instead of an empty line.
• [PX-7070] - Migrate PrivX docs to Doctave v2
• [PX-7192] - A setting to control including SID extension in RDP X.509 certificates

Bug Fixes

• [PX-6531] - Logout expired session not working properly
• [PX-6930] - It's possible to revoke a role directly after the role is already revoked with an approved request
• [PX-6989] - It's possible to save space characters' names in several places in PrivX
• [PX-7027] - Misfired audit event on .toml config changes in HA environment
• [PX-7028] - Carrier does not list all the running containers
• [PX-7064] - rdp-mitm connection fail occationally due to /tmp folder permission error
• [PX-7066] - Target domain disabled scanning affects managed accounts' rotation
• [PX-7074] - If carrier browser is changed in host config, user reload should launch a new browser container
• [PX-7076] - Browser container launch fails or takes a very long time
• [PX-7089] - Target domain names are not uniquely constraint
• [PX-7098] - deploy script inconsistent behaviour
• [PX-7110] - Deployment via extender fails with Python 3.12
• [PX-7116] - RPD-Proxy: all pending dialogs should be closed when disconnected
• [PX-7117] - Extender uptime is calculated incorrectly
• [PX-7121] - When using PrivX as OIDC provider, OIDC client config does not get synced between nodes
• [PX-7156] - PrivX workflows doesn't show the maximum time access can be requested.
• [PX-7164] - Create managed account UI toggle has opposite meaning of functionality
• [PX-7194] - Users can only request role revocation for other users if they have the same role themselves
• [PX-7280] - Old audit events are prematurely housekept on upgrade

Known Issues

• [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

  • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

    # scp -i key.pem principals_command.sh user@target:/tmp/
    # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

• [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

• [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

• [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

• [PX-2947] No sound when viewing recorded rdp-mitm connection.

• [PX-3086] PrivX role mapping to AD OU not working as expected.

• [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

• [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.

• [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

• [PX-4352] UI shows deleted local user after delete

• [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

  • Workaround: Restart affected Carrier and Web-Proxy services.

• [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

• [PX-4689] PrivX Linux Agent leaving folders in /tmp

• [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

• [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.

• [PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase

• [PX-6464] Secret-manager crash if database doesn't have valid TLS certificate

• [PX-7106] VMWare uuid detection by deploy script does not match VMWare API uuid on host scan

• [PX-7277] Password rotation certificate validation fails in some cases