23.1 Release Notes
This update includes the following features, updates, and other changes. These release notes cover information specific to Verify Privilege Cloud Suite and Privileged Access Service.
After applying the February, 14, 2023, Microsoft Update KB5022842 (OS Build 20348.1547) on a Virtualized Windows Server 2022 with Secure Boot Enabled server will become unusable. This issue is reproducible without any IBM Security products installed on the Windows Server 2022 system.
Cause: The issue arises on the second reboot after installing the Microsoft update KB5022842 on Windows Server 2022 that is running on VMWare vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. IBM Security recommends the best practice is to create system restore points prior to doing any upgrades, patches or system changes.
New Features
Granular Privilege Elevation Workflow UI
- This enables users to submit workflow requests with specific Privilege Elevation commands.
- Users can find a system in PAS, request Privilege Elevation permission, and then select specific commands or command sets as set up by the administrator.
Documentation
You can find the documentation under the following sections:
Notice of Discontinuation
None.
Resolved Issues and Changes in 23.1
- Fixed the email authentication issues. When users select email as an option to authenticate to PAS, the user won't be seeing a URL link to authenticate in the email which the user has received. The user will have to manually enter the One Time Passcode where the user has initiated the login session. (ref: 469681)
- Fixed the ability to log in or rotate passwords for AWS Cloud Provider Root Account. (ref:461023)
- Fixed account password rotation for Multiplexed Accounts. Users with edit, delete and grant permissions for the Multiplex Account will automatically have view permission for such accounts. (ref:463715)
- Fixed an issue when emailing reports of "HTML Table" export type with report parameters of integer type would fail. (ref:466537)
- HTML requests to reports data provider RedRock endpoint are protected with the user's role report management. (ref:468164)
- Fixed IOS enrollment issues affecting some tenants who were unable to enroll on the IOS mobile app. (ref:470660)
- Fixed adding command sets to Global Privilege Elevation. Users will now be able to add command sets. (ref:474752)
- Fixed Privilege Elevation addition wizard for enrolled system second step. The add button is enabled only when 'user', 'group', or 'role' is chosen. (ref:474862)
- Errors in the workflow process were corrected, allowing access to secrets. (ref:464006)
Resolved Issues and Changes in 23.1 HF11
-
Enhanced access and retrieval times for secrets and folders in the PAS portal UI and API, allowing users to access them faster. (ref: 575357)
Resolved Issues and Changes in 23.1 HF9
-
Fixed an issue where the system failed to account for Cisco SSH templates using a 'host' field instead of the typical 'machine' or 'domain' fields found in other UNIX SSH templates. (ref: 478014)
-
Improved security around OTP Code verification. (ref: 578891)
Resolved Issues and Changes in 23.1 HF7
-
Fixed a security issue where directory listing information was not properly restricted via an API endpoint. (ref: 551074)
-
Fixed a security issue where unrestricted file download was possible through an API. (ref: 551072)
Clients for Linux
Added support for Rocky Linux and Alma Linux:
-
Rocky Linux 8.6
-
Alma Linux 8.6
Clients for Microsoft Windows
- Cloud Client is allowed to be installed with all features enabled on Windows Workstations so that customers may log in with cloud brokered identities and perform MFA at login.
- Customers will also be able to perform tasks based on DMC and AAPM features.
Known Issues
- When adding specific commands or command sets to a Privilege Elevation Command workflow, you must type the Privilege Elevation commands or command sets names in the search bar so that you can select them. Commands or sets will not automatically show up to be selected.
- If you currently have Privilege Elevation commands or sets assigned to a system, the Request Privilege Elevation option will not show up under the Actions menu for the system.
Client Known Issues
- When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Cloud Client installed and enrolled.
MFA Known Issues
- Ensure that required data for each selected authentication factor is present when selecting the use of a secondary factor (SMS, phone, email, etc). You should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the IBM Security PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would be locked out.
- Email as an MFA mechanism is subject to spam or junk filters. Be aware that using email as an MFA mechanism may be affected by users’ email providers’ spam or junk filters.
- SMS or phone are only attempted once a password is validated. This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.
- For FIDO2 and On-Device Authentication options you will need to log in from the tenant specific URL.