22.06 Update 2 Release Notes

The following table provides the release details:
Build
22.06.213
Codename
Kepler, 22.06 Update 2
Release date
Sep 19, 2022
Type
Maintenance release
SHA-256 digest
d780dd3e80152d98f585868e3dd73e5e02e66c5d1d604a4831694e89d9aadabd

Enhancements

HTTPS Proxy Support for Agentless Scanning

Agentless scanning now supports connections over an HTTPS proxy server. If you use custom certificates for authentication, you can now configure custom certificates for the connection to Console when using agentless scanning.

Embed a Defender in a CloudFormation Fargate Task in YAML format

Prisma Cloud Compute now supports embedding a Defender to a CloudFormation Fargate task in the YAML format, in addition to the JSON format.
Also, Prisma Cloud now supports generating a protected Fargate task definition for a full CloudFormation template that contains other resources except for the task definition itself.
Use the Console (Manage > Defenders > Deploy > Defenders) or the APIs (/api/22.06/defenders/fargate.yaml, /api/22.06/defenders/fargate.json) to complete the workflow.

Update for CVE-2022-36085

As part of this release, Prisma Cloud has rolled out an update to the vulnerability data stream for CVE-2022-36085. After updating to the enhanced intelligence feed, you may see alerts on vulnerabilities in Prisma Cloud components and Defender images of releases 22.06 Update 1 or older versions. We have determined that Prisma Cloud components are not impacted by these vulnerabilities. There is no risk to continue running any of the supported Prisma Cloud releases.
To ensure these vulnerability alerts do not display, we recommend upgrading to the latest 22.06 release where applicable. If you are not ready to upgrade right away, add an exception in the default Ignore Twistlock Components rule (under Defend > Vulnerabilities > Images > Deployed) to suppress these vulnerability alerts.

Support for Additional Orchestrators on x86 Architecture

  • Google Kubernetes Engine (GKE) version 1.24.2 with containerd version 1.6.6
  • Elastic Kubernetes Service (EKS) version 1.23.9 with containerd version 1.6.6
  • Azure Kubernetes Service (AKS) version 1.24.3 with containerd version 1.6.4+azure-4 running on Linux
  • AKS version 1.24.3 running with containerd version 1.6.6+azure on Windows
  • Lightweight Kubernetes (k3s) version v1.24.4+k3s1 with containerd 1.6.6-k3s1
  • Openshift version 4.11 with CRIO 1.24.1
  • Rancher Kubernetes Engine (RKE) version 1.24.4+rke2r1 with containerd 1.6.6-k3s1

Name Update for Cloud Native Network Firewall (CNNF)

The Cloud Native Network Firewall (CNNF) is now renamed as Cloud Native Network Segmentation (CNNS).

Addressed Issues

  • Fixed an issue that caused Defender to incorrectly report the Host OS as SLES15SP1 instead of SLES15.
  • Fixed an internal error that failed to refresh the vulnerability statistics under
    Monitor > Vulnerabilities > Vulnerability Explorer
    .
  • Fixed two issues with Defenders running on containerd/CRI-O nodes:
    • Defenders attempted to scan host file systems during image scans for containers that changed to the host mount namespace. This issue is fixed.
    • Defenders attempted to scan the host where the image had a mount point to the host filesystem and some parent directory of the mount point was a symlink.
  • Fixed an issue that prevented editing WAAS rules. On upgrade to 22.06, it was not possible to update or modify WAAS rules configured to protect the same port at multiple endpoints with different attributes, such as TLS, HTTP2, and gRPC. With this fix, such rules can now be modified.
  • Fixed the
    "Missing required VM instance data"
    error encountered during agentless scanning on Azure. Azure hosts with unmanaged operating system disks are skipped during the scan. Agentless scanning doesn’t support Azure hosts with an unmanaged operating system disk.
  • Fixed a high memory usage issue in Linux distributions where CNNF/CNNS was enabled. In addition to upgrading to this release, CNNF/CNNS users are advised to upgrade 4.15.x kernel to >=5.4.x kernel.

End of Support Notifications

Upcoming breaking changes

On upgrade to the next release, Lagrange, if you have configured an alert profile on
Compute > Manage > Alerts
and enabled the
Image vulnerabilities (registry and deployed) trigger
as well as the
Immediately alert for deployed resources
setting, you will now be getting immediate alerts for vulnerable registry images along with immediate alerts for deployed images.
The volume of immediate alerts that are generated may be much higher than what you’ve seen in the previous releases because support for immediate alerting for registry images is being added in Lagrange. With this change, the Image vulnerabilities (registry and deployed) option is being separated into two: Deployed images vulnerabilities and Registry images vulnerabilities, and both these triggers will be enabled if the original trigger was enabled in the alert profile.

Recommended For You