22.3 Release Notes

This update includes the following features, fixes, and other changes. These release notes cover information specific to Verify Privilege Cloud Suite; be sure to read the 22.3 Privileged Access Service Release Notes.

After applying the February/14/2023, Microsoft Update KB5022842 (OS Build 20348.1547) on a Virtualized Windows Server 2022 with Secure Boot Enabled server will become unusable. This issue is reproducible without any IBM Security products installed on the Windows Server 2022 system.

Cause: The issue arises on the second reboot after installing the Microsoft update KB5022842 on Windows Server 2022 that is running on VMWare vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. IBM Security recommends the best practice is to create system restore points prior to doing any upgrades, patches or system changes.

New Features

Privilege Elevation with added group privileges (Windows)

  • This enables users to run Elevated Privilege commands with the same user that is connected to the session with added local Administrator group privileges as opposed to running the command with a local <username>-priv user created just for this purpose.

Set-Based Unix Profile Role Mapping Settings

  • This enables customers to expose PAS Roles as sets of enrolled Linux systems as compared to exposing such roles on all enrolled systems (which is the current behavior).

Granular Privilege Elevation Workflow Preview

  • This enables users in the command line to request Privilege Elevation privileges to specific commands or command sets as compared to always requesting privileges to run ALL commands as Administrator/root.
  • When adding a new Privilege Elevation command the users can add a local user to run any privilege command. The user has to append the Run As User field with @localhost (example: localuser@localhost).

Documentation

You can find the documentation at the under the following sections:

Notice of Discontinuation

None.

Resolved Issues and Changes in 22.3

  • Verify Privilege Cloud Suite features such as AgentAuth, AAPM, and DMC are now supported on Windows Workstations (Windows 10 and 11).

  • Fixed an issue related to privilege elevation workflow activity, where the events in the Activity log showed that commands were run without an authentication challenge when in fact the user was challenged with additional authentication requests when they ran the command after the workflow request was approved. (ref:388576)

  • Fixed an issue where if you use the cenroll command with just the -Z option and no argument attached to it, that command combination now throws an appropriate error. (ref:448531)

  • When a user selects Email as an option to authenticate to PAS, the user won't see a URL link to authenticate in the email sent to the user. The user will need to manually enter the One Time Passcode where the user has initiated the login session.

Resolved Issues and Changes in 22.3 HF1

  • Support for additional ARN formats are now supported when managing AWS credentials. (ref:416069)

  • Improved WebRDP experience related to network latency. (ref:431794)

Supported Platforms

Clients for Linux

Added support for Rocky Linux and Alma Linux:

  • Rocky Linux 8.6

  • Alma Linux 8.6

Clients for Microsoft Windows

  • The Verify Privilege Cloud Suite agent allowed to be installed with all features enabled on Windows Workstations so that customers may log in with cloud brokered identities and perform MFA at login.
  • Customers will also be able to perform tasks based on DMC and AAPM features.

Known Issues

Client Known Issues

  • When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Cloud Client installed and enrolled.

MFA Known Issues

  • Ensure required data for each selected authentication factor is present When selecting the use of a secondary factor (SMS, phone, email, etc) you should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the IBM Security PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would effectively be locked out.
  • Email as an MFA mechanism is subject to spam / junk filters Be aware that using email as an MFA mechanism may be affected by users’ email providers’ spam or junk filters.
  • SMS / phone are only attempted once a password is validated This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.
  • For FIDO2 and On-Device Authentication options you will need to login from the tenant specific URL .