21.08 Update 2 Release Notes

The following table outlines the release particulars:
Code name
Iverson, 21.08 update 2
Release date
November 15, 2021
Maintenance release
SHA-256 digest

Improvements, fixes, and performance enhancements

  • Adds the ability for customers to use their own certs to secure Prisma Cloud communication channels by simply copying their custom certs to a predefined directory that Console and Defender containers mount at runtime. The communication channels you can secure with this mechanism are:
    • Console web UI and API (over HTTPS).
    • Console-Defender connection (over a WebSocket).
      This capability is available for Prisma Cloud Compute Edition (self-hosted) only. For more information about how to set this up, see the documentation here.
  • Adds support for OpenShift 4.9.0.
  • [WAAS] Adds support for an SNI-based proxy, so that you can serve multiple top-level domains, each with different TLS certificates, on the same internal port. Previously, when defining two apps using the same port with TLS, where each app had its own certificates, WAAS always used the certificate of the first app for both applications. As a result, the first app would return 200 OK, while the second app would be blocked by a certificate verification (TLS handshake) error.
  • Adds a debug mode for App-Embedded Defender, where all logs are also written to stdout. This makes it easier to debug crashes or other issues when Defender can’t connect to Console. To enable the debug mode, specify an environment variable named TW_DEBUG and set it to TRUE.
  • Updates how serverless scan results are shown. Previously, if an in-progress serverless scan was cancelled, the results from the last scan were deleted, which could lead to empty or partial results being shown. Starting in 21.08 update 2, the last serverless scan results are retained if a currently running scan is cancelled by a newly invoked scan.
    The new scan that caused the previous scan to be cancelled won’t start or run.
  • Fixes how the
    Manage > System > Scan > Unactionable vulnerabilities
    toggle works, making it consistent with the UI text. Previously, when the toggle was enabled, it filtered out vulnerabilities by severity level only. Starting with 21.08 update 2, when the toggle is enabled, vulnerabilities are filtered by both severity level and fix plan. All vulnerabilities with a severity level of "negligible" and a fix plan of "won’t fix" are filtered out. Vulnerabilities with a fix plan of "won’t fix" are filtered regardless of severity.
  • Fixes a high memory usage issue that could cause Console to enter an infinite restart loop.
  • Adds the CAP_IPC_LOCK kernel capability to the Defender DaemonSet so that Defender can run on systems with insufficient mlock limits.
  • Adds coordinates for the Azure West US 3 region so that it’s properly mapped to Arizona on the cloud radar (
    Cloud > Radar
  • Adds missing /util endpoints to the OpenAPI spec file.
  • Fixes an issue where Defender containers failed liveness and readiness checks when a Defender DaemonSet was first deployed to an EKS cluster. The issue occurred when Defender was initializing, and it was trying to fetch host VM tags from AWS, while host network monitoring (
    Radar > Settings
    ) was enabled.

Known issues

  • When triggering custom file system rules that use the new file.md5 attribute on systems with 21.04-based Container Defenders or Host Defenders, none of the r ule’s actions fire (i.e., audit/incident/prevent/block). An error is printed to the Defender log when the md5 attribute is used in a custom rule’s message, but no error, and no audit, is printed when the md5 attribute is used in the custom rule’s condition. The file.md5 attribute was added to Prisma Cloud Compute in 21.08.

Recommended For You