22.01 Update 1 Release Notes
The following table outlines the release particulars:
Joule, 22.01 Update 1
March 8, 2022
Improvements, fixes, and performance enhancements
Fixes an issue with the new feature in 22.01 to automatically manage renewal of certificates issued by the Console. If you are using a load balancer to direct traffic to Console, this fix addresses compatibility issues with load balancers.
- Updates open source packages used in Prisma Cloud Compute.
- Fixes an issue where after defining a label key inManage > Alerts > Alert labels, the label isn’t designated as aCustom labelin either the container detail dialog or the corresponding downloadable CSV file.
- Fixes a regression where the source of external labels for images and containers wasn’t displayed.
- Adds the iam:SimulatePrincipalPolicy AWS permission to the agentless CloudFormation template to enable preflight check for agentless scanning permissions. Preflight checks will be added as a new capability in the next major release of Prisma Cloud Compute.
- Cleans up partial entries in container collections when upgrading from 21.08 and later. These partial entries cause Console to incorrectly report the actual number of deployed WAAS application firewalls.
- Fixes an issue with upgrading to 22.01 from 21.08 when there was an XSOAR alert (now named Cortex alert) configured in 20.12. Upgrade migration code has now been fixed.
- Updates Prisma Cloud Compute to consume the SUSE SLES OVAL feeds. Vulnerability data is now provided for:
- SLES 12 SP3 - SP5
- SLES 15 SP1 - SP4
- Fixes an issue where the host radar isn’t populated with any scan data if only agentless scanning is enabled (that is, no Defenders are deployed to your environment).
- Fixes an issue in the agentless scan set up wizard’s summary page to correctly show regions selected for scanning.
- [SaaS] Fixes an issue in the Prisma Cloud Compute SaaS Console where deep links to a Compute page incorrectly redirect to Compute’s Radar page.
- Tests Prisma Cloud Compute on a newer version of RKE2, specifically RKE2 v1.22.5+rke2r1 with containerd 1.5.8-k3s1.
- Fixes a UI/UX issue in Console to better communicate progress for retrieving the latest data in Vulnerability Explorer after clicking theRefreshbutton.
- Adds the option to run the Fargate Defender sidecar as a non-essential container. This configuration is not recommended because the goal of Defender is to ensure that a task is always protected.By setting Defender as non-essential, we can’t be sure that Defender is running. If you’re having an issue, first validate that Defender is running as expected before opening a support case.
- Fixes a CSS issue for the date picker in the filter controls in the Console UI.
- [WAAS] Removes ciphers vulnerable to the Sweet32 attack, specifically TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA in TLS versions 1.0, 1.2, and 1.3.
- [WAAS] Adds a new toggle in the rule dialog underAdvanced proxy settingsthat allows requests with malformed HTTP headers to be passed to the protected app as-is. By default, this setting is disabled, which aligns with how WAAS operated in previous releases.
- Updates the minimum supported version of Jenkins for the Prisma Cloud Compute Jenkins plugin to 2.319.1. Jenkins version 2.319.1 currently has no critical vulnerabilities.
- Fixes an issue with Defender incorrectly reporting feature statuses (process monitoring, file system monitoring, etc) when Defender connects to Console, disconnects shortly thereafter, and then reconnects again.
In order to uniformly support all cloud providers, we changed the PCC (Prisma Cloud Compute) resource labels in the agentless CloudFormation templates. The following labels were updated in 22.01 update 1:
If you set up agentless scanning in 22.01.839 or 22.01.840, and you’re now upgrading to 22.01.873 (22.01 update 1), then follow these intructions when upgrading:
- Ensure all agentless scans are completed before upgrading.
- After upgrading, download the latest agentless CloudFormation templates from Console and reapply them.
Note that each affected label is used in two places in each template (scan hub, target, and target with hub)
- When Defender is installed on Windows hosts in AWS, and Prisma Cloud Compute Cloud Discovery is configured to scan your environment for protected hosts, the Windows hosts running Defender are reported as unprotected.
- The upgrade to 22.01 update 1 fails if you have changed the rule name for the default CVE rule inDefend > Vulnerabilities > Images > DeployedfromDefault - ignore Twistlock componentsto anything else, or deleted the rule. To upgrade successfully, the rule must exist and the rule name must be namedDefault - ignore Twistlock components.Workaround to address the upgrade failure:
- Revert to the 22.01 console by modifying the image that you use to deploy Console.
- Do one of the following:
- If you deleted the rule, create a new rule in Defend > Vulnerabilities > Images >Deployed called Default - ignore Twistlock components.
- If you renamed the rule, rename the default CVE rule in Defend > Vulnerabilities > Images >Deployed to use the default rule name Default - ignore Twistlock components.
- Upgrade to the 22.01 update 1 release.
End of support notifications
- RHEL 6 as no longer supported on Prisma Cloud Compute starting with this release, 22.01 Update 1.RHEL 6 is no longer generally available as stated on the Red Hat website.
Upcoming breaking changes
- In the next major release of Prisma Cloud Compute, code-named Kepler, Fargate tasks protected by App-Embedded Defenders will be grouped together in collections using the "App IDs" field.Until now, and for all 22.01 releases, collections of Fargate tasks are specified using the "Hosts" field. In Console, Fargate tasks are referred to as "Hosts" in vulnerability, compliance, and incidents pages.Starting in the next major version of Prisma Cloud Compute, all App-Embedded collections, including Fargate tasks, will be defined by the "App ID" field.After upgrading to Kepler, you might need to update your existing collections to use the "App IDs" field rather than the "Hosts" field to maintain the correct grouping of resources for filtering, assigning permissions, and scoping vulnerability and compliance policies.Also, the CSV file export for vulnerability scan results, compliance scan results, and incidents will change. Fargate tasks protected by App-Embedded Defender will be reported under the "Apps" column rather than the "Hosts" column.
- Due to the deprecation of the Azure AD Graph API, in the next major release of Prisma Cloud Compute, code-named Kepler, you will need to change the application permissions when using Azure Active Directory as a SAML identity provider for Compute.When configuring Azure, you must replace the Directory.Read.All permission for Azure Active Directory Graph with the Directory.Read.All permission for to the Microsoft Graph API to continue using SAML authentication with Azure Active Directory. The article on how to Add permissions to allow Prisma Cloud Console to query the Azure Active Directory API will be updated in the Kepler release.
Recommended For You
Recommended videos not found.