Prisma Cloud Compute Edition Release Notes
    : 22.12 Release Notes
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Release Notes
    5. Prisma Cloud Compute Edition Release Information
    6. 22.12 Release Notes
    Download PDF

    Prisma Cloud Compute Edition Release Notes

    22.12 Release Notes

    Table of Contents

    22.12 Release Notes

    The following table outlines the release particulars:
    Build
    22.12.415
    Code name
    Lagrange
    Release date
    Dec 04, 2022
    Type
    Major release
    SHA-256 Digest
    8eb42278ef8a538363ec9814b9ff78e099c9ab10fcd2cdde135b0c2a4c6b687b
    Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.

    CVE Coverage Update

    As part of the 22.12 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
    • CVEs in Go packages are now detected in the package scope for more accurate results, and not only in the module scope. To read more about Go modules and packages, see Modules overview.
    • Fix date improvement. For any feed collected by IS that does not provide a fix date for CVE, Prisma Cloud Compute will determine the fix date as the date when the fix for the CVE was first seen by the Intelligence Stream.
    • Fixed versions enriched for fixed vulnerabilities.
    • New PRISMA-IDs have increased 131% since the Kepler major release.
    • Fast addition of CVEs (pre-filled CVEs).
      CVEs were added to the Intelligence Stream on an average of 13 days before they were analyzed in the NVD. As an example, a Kubernetes CVE (CVE-2022-3172) was published on September 16, 2022. The CVE was added to the Prisma Cloud Intelligence stream on September 19, 2022. And at this time in December 2022, the CVE is still reserved in MITRE and not analyzed in NVD.

    New Features in Agentless Security

    Agentless Vulnerability Scanning of Containers in AWS, Azure, and GCP

    You can now use agentless scanning to identify vulnerabilities in your deployed containers and images for AWS, Azure, and GCP platforms, and view the results of the agentless scans on
    Monitor > Vulnerabilities > Images> Deployed
    . For more information, see Agentless Onboarding documentation

    Agentless Scanning for Oracle Cloud Infrastructure

    You can now onboard Oracle Cloud Infrastructure accounts for agentless scanning of your hosts on Oracle Cloud Infrastructure (OCI). You can view the results of the vulnerability scans on
    Monitor > Vulnerabilities > Images> Deployed
    .

    New Features in Core

    Vulnerability Scanning of Debian 11 Distroless Images

    Defenders now scan distroless container images for vulnerabilities and display the results on
    Monitor > Vulnerabilities > Images
     along with other scans. The following distroless images are supported.

    Immediate Image Registry Scanning

    You can now trigger a specific image scan in the registry and get immediate results. This allows you to scan the images as soon as they are added to the registry, without waiting for the scheduled scans. Triggering the scan is done using the Scan Registry API, and this API scan will not interrupt the ongoing scheduled scans that are run from under
    Monitor > Vulnerabilities > Images > Registries
    .
    The registry must first be configured in the registry settings to scan images.

    Deployment Date and Elapsed Time for Deployed Image

    You can now view the deployment date and the elapsed time since the image was first deployed in a container.
    See the image details view in the
    Vulnerability Explorer
     and
    Radar
     to determine the start time of a vulnerable image.

    Support for More Registry Entries

    You can now add up to 19,999 registry entries to
    Defend > Vulnerabilities > Images > Registry settings
    . And on
    Monitor > Vulnerabilities > Images > Registries
    , view scan results for a maximum of 100,000 images.
    NOTE: When you upgrade to Lagrange, if you have configured 20,000 entries or more, you cannot add or update any registry settings until you are within the limit of 20,000. To add or modify any registry settings, you must delete the entries that exceed the limit.

    Individual Effects per Protection for Container Runtime Policy

    The Container runtime policy rules now allow individual effect per protection, such as. anti-malware, crypto miners, reverse shell attacks, etc. instead of one global effect for each section - Processes, Networking, File System, and Anti-malware. The effect includes the following options: Disabled/Alert/Prevent/Block according to the supported effects for each detection.
    To allow for individual effects per protection, the container runtime rule schema of the rules has changed. Refer to the API Container runtime policy page for the updated schema.
    As a result, if you manually export rules from 22.06 or older versions of Console to 22.12 Console, the operation will fail.
    The existing rules will be migrated into the new schema by taking the single global effect from each section of the rule (Processes, Networking, and File system) and setting that effect to each one of the detections in that section. For example, if the Networking section effect was "Alert", now each one of the detections under Networking - Networking activity from modified binaries, Port scanning, and Raw sockets will get the "Alert" effect.
    To support the effect conversion for Defenders from supported previous versions, or when fetching the rules using an API of a previous version, we convert from an individual effect per detection to a single effect per section. In the conversion, we will take the least severe effect for the detections that are enabled and set it as the section effect. For detections with the Disabled effect the toggle will be disabled.

    FIPS 140-2 Certification

    The FIPS 140-2 Level 1 BoringCrypto GoLang branch has been merged into GoLang 1.19. You can deploy the Console and Defender to enforce the use of the FIPS validated cryptographic libraries and cipher suites.

    Custom Certificate Trust for Registry Scanning

    You can now enter a custom self-signed certificate while configuring the registry scans, this allows Prisma Cloud to validate the registry.
    Custom CA certificate validation is supported only for non-Docker nodes (Defenders running on CRI runtime) and for the following providers:
    • Docker registry v2
    • JFrog Artifactory (On-prem)
    • Harbor
    • Sonatype Nexus

    Support for JFrog Artifactory Registry Scan on JFrog Cloud

    Fixed an error with JFrog artifactory registry scan running on JFrog Cloud. With Lagrange, the Defenders support registry scans and on-demand scans running on both JFrog On-prem and JFrog Cloud.

    Vulnerability Assessment for Go Packages

    CVEs in Go packages are now detected at the package level for more accurate results, and not only at the module level. To read more about Go modules and packages, see Modules overview.

    Immediate Alerts for Registry Scan Vulnerabilities

    Added support for sending immediate alerts for registry images vulnerabilities. When configuring alerts under
    Compute > Manage > Alerts
    , the "Immediately alert for vulnerabilities" toggle now applies not only to deployed images and hosts but also to registry images. Furthermore, the existing trigger for "Image vulnerabilities (registry and deployed)" is now split into 2 triggers: "Deployed images vulnerabilities" and "Registry images vulnerabilities", to allow you to configure your alert profile as granular as your environment requires.
    If you already have an alert profile with
    Deployed image vulnerabilities (registry and deployed)
     along with
    Immediately alert for vulnerabilities
     enabled, then post Lagrange upgrade you might, depending on your environments, start getting loads of immediate alerts for vulnerable registry images along with immediate alerts for deployed images.

    Risk-Factor Based Actions

    Vulnerability rules for images and hosts can now trigger different actions such as alert, block, and fail based on risk factors. All the vulnerabilities that match either the severity thresholds or the risk factors will be listed in the scan results under
    Monitor > Vulnerabilities > Images > Deployed/Registries/CI
    .

    Exceptions for Base Image Vulnerabilities

    For deployed and CI images, you can now exclude base image vulnerabilities introduced by the base images or the middleware image while configuring the Vulnerability Management rules under
    Defend > Vulnerabilities > Images > Deployed/CI
    . To use this feature, you need to first specify the base image under
    Defend > Vulnerabilities > Images > Base images
    .
    When you enable this feature, the vulnerabilities that come from the base images will not be included on the scan results view under
    Monitor > Vulnerabilities > Images > Deployed/Registries/CI
    .

    Alert Trigger Enhancements for Google Security Command Center

    The following new fields were added to existing alert triggers for Google SCC.
    • Image vulnerabilities (deployed)
      : Includes the following properties.
      • Collections
      • Cluster Name
      • Account ID
    • Container runtime
      : Includes the following properties.
      • Collections
      • Cluster Name
      • Account ID
    • Incidents
      : Includes the following properties.
      • Collections
      • Cluster Name
      • Account ID
    The container and image compliance trigger was added for Google SCC. This new trigger sends full data with every scan.

    Path and Layer Information in Syslog Output

    The image scan syslog output that the Prisma Cloud Console produces now includes two new fields: package_path and layer.
    The host scan syslog output that the Prisma Cloud Console produces now includes one new field: package_path.
    The twistcli command line interface JSON output also shows the following new fields.

    Regional STS Endpoint Support for Defender on AWS

    AWS recommends the use of a regional STS endpoint over the use of the global STS endpoint sts.amazonaws.com. When onboarding your AWS cloud account, you can now use a regional sts.REGION.amazonaws.com STS endpoint. Then, your deployed Defenders don’t need to access the global STS endpoint. Defenders can get the STS token from the regional STS endpoint to perform scans such as registry scans. To enable regional STS endpoints, refer to the AWS documentation.

    Enhancement for Prisma Cloud Console Metrics to Prometheus

    If you enabled Prometheus logging under
    Manage > Alerts > Logging
    , the following metrics from the Prisma Cloud Console are now shown.
    Name
    Description
    Type
    The total number of registry images scanned.
    Gauge
    The total number of container active incidents.
    Gauge
    The total number of container archived incidents.
    Gauge
    The total number of host active incidents.
    Gauge
    The total number of host archived incidents.
    Gauge
    The total number of incident snapshots on the console.
    Gauge
    The size in MB of incident snapshots.
    Gauge
    The total backups stored on system.
    Gauge
    The total Number of CI scanning results in Console.
    Gauge
    For tenant projects, returns 1 if the tenant project is connect to the master console.
    Gauge
    The total number of consumed collections by compliance rules.
    Gauge
    The total number of consumed collections by vulnerability rules.
    Gauge
    The total number of consumed collections by runtime rules.
    Gauge

    Support to Generate Vulnerability Reports by Package

    You can filter the
    Vulnerability (CVE) results
     in the Vulnerability Explorer (
    Monitor > Vulnerabilities > Vulnerability Explorer
    ) to view the vulnerabilities present in your deployments in a package pivot. Similarly, you can also filter using risk factors.

    Support for Distro-level Exclusions in Package Vulnerability Scans

    Package vulnerability scans now account for any exclusions based on vendor-specific distributions. For the packages you install through the operating system, the vulnerability scans show you only the vendor-specific analysis, if it exists. If you don’t install the packages through the operating system package manager, the scan shows the relevant vulnerabilities for the packages. Your scan results might change and you can review the results under
    Monitor > Vulnerabilities
    .

    Dedicated Defenders for Blobstore Scanning

    To specialize the function of the Defenders in Tanzu environments, you can now deploy dedicated Defenders that only perform blobstore scanning and are deployed on dedicated Linux VMs. Use the dedicated scanners if you want to avoid using the Defenders installed on the Diego cells to perform the blobstore scanning. The dedicated Blobstore scanning Defenders are not supported on Windows VMs.

    Upgrade Confirmation for Defenders on Tanzu

    When you upgrade to v22.12, the Defenders in Tanzu environments are automatically upgraded and the user confirmation for upgrading to subsequent versions becomes available. To upgrade the Defenders in your Tanzu environment starting with the next update for v22.12, download the latest tile from the Prisma Cloud Console and import it into your environment using the Tanzu Ops Manager. With this change, Tanzu Defender upgrade is not available directly from the Prisma Cloud Console.

    Added Support for Tanzu Application Service (TAS) on Windows

    You can now deploy Defenders to scan your Windows TAS environments. The Defenders are deployed as addon software on the Windows Diego cells of your TAS environment, which is similar to how they are deployed on Linux. You must now select the Orchestrator deployment method to deploy the TAS Defenders. Defenders on Windows TAS environments don’t support the following features.
    • Scan of applications running Docker images on TAS
    • Use of a proxy to install a tile
    • Cert-based authentication
    • Blobstore scanning: Defenders on Windows can’t be scanners and Windows droplets have no results.

    New Fields to Splunk Alerts

    The following fields are added to Splunk alerts.
    • command - Shows the command which triggered the runtime alert.
    • namespaces - Lists the Kubernetes namespaces associated with the running image.
    • startup process - Shows the executed process activated when the container is initiated.

    In-Depth Scanning of Nested Java Archives

    In previous releases, Defenders scanned two levels deep in nested Java Archives (JARs). The latest version of Defender can scan up to ten levels of nested JARs. While this level of nesting is atypical, this capability improved the scan accuracy by detecting the vulnerabilities in the deepest nested jars. You can view the vulnerabilities in your images with the following steps.
    1. Go to
      Monitor > Vulnerabilities > Images
      .
    2. Filter the results to show your packages using JARs.
    3. Click on the shown results to see the details.
    4. Go to Package info and filter the results.

    Twistcli Sandbox for Third-Party Assessment Tools

    To help you augment and expand the compliance checks the twistcli sandbox now enables you to run a third-party binary/script of choice within the sandboxed container.
    You can view the scan results on the mounted volume and on
    Monitor
    Runtime
    Image analysis sandbox
    . In this example the output of the 3rd party testing tool will be written to the /opt/sandbox_testing_tools/output.txt file on the sandbox host.

    New Features in Host Security

    Application Control for Hosts

    You can now set specific application control rules to make sure your Linux hosts that are protected by Defenders, can install or run specific application versions. The Application control rules allow you to define the match criteria and the severity levels, and to enforce compliance, you must attach the rule to your compliance policy. In addition, you can import the list of applications and versions from hosts in your environment to easily create new application control rules.

    New Features in Serverless

    Account Information and Filtering for serverless functions

    You can now filter the Serverless functions for vulnerabilities and compliance issues with specific Account IDs for each Cloud provider. The account ID column is added under
    Defend/Monitor > Vulnerabilities/Compliance > Functions
    .
    Existing customers won’t see the Account ID until the customer’s accounts are re-added to Prisma Cloud.

    New Features in WAAS

    Automated Patch for Known CVEs

    Introduced a capability in custom rules to Auto-apply virtual patches to known CVEs vulnerabilities detected by Prisma Cloud under
    Defend > WAAS > Container/Host > In-Line/Out-of-band
    . You can override the default effects by selecting User-selected custom rules that are always applied regardless of the global
    Auto-apply virtual patches
    .

    Enhancement in API Discovery

    The
    Monitor > WAAS > API discovery
     is enhanced to include all discovered resource paths with HTTP method, instead of a per-app view. The API discovery page now includes
    Path risk factors
     to flag endpoints that have sensitive, unauthenticated, or internet-accessible data.
    You can also protect all endpoints in an app with a single click and download the API specifications in JSON.
    Create a WAAS rule under
    Defend
    WAAS
    Sensitive data
     to identify and flag sensitive data from the discovered endpoints on the API discovery page.

    Allow list to Bypass Geo Access Control

    You can now add a specific network list to bypass the IP-based or Geo-based access control under
    Defend > WAAS > Container/Host/App-Embedded/Agentless > Add/Edit App > Access control > Network controls > Exceptions
     allowing you to exempt specific IPs from the access control rules.

    JWT Parsing

    WAAS Custom rules expressions are extended to support functions that validate Java Web Tokens (JWTs) in both requests and responses, in order to inspect the content for malicious, sensitive, and insecure information, and extract key values from the payload.

    Support TLS in Out of Band Rules

    WAAS Out-Of-Band now supports TLS (1.0, 1.1, 1.2) protocol.
    You can enable the TLS support for an endpoint in
    Defend > WAAS > Container/Host > Out-of-Band
     and enter the TLS certificate in PEM format.

    Simplified Onboarding for VPC Traffic Mirroring

    Setting up WAAS for agentless now comes with easier onboarding configuration for AWS VPC traffic mirroring under
    Defend > WAAS > Agentless
     that auto-deploys the Observers into the AWS instance and creates sessions with the resources within your VPC to monitor the incoming/outgoing traffic.

    WAAS Defend Tabs Reorganized

    WAAS defend tabs are now reorganized to distinguish between Agentless and agent-based OOB rules. Out-Of-Band tab is split into Agentless that supports VPC traffic mirroring, Container OOB, and Host OOB.
    Monitor > Events > WAAS for out-of-band
     is now changed to
    Monitor > Events > WAAS for agentless
    , and the out-of-band events are included along with the in-line events under
    WAAS for containers
    ,
    WAAS for App-Embedded
    ,
    WAAS for hosts
    , and
    WAAS for serverless
    .

    API Changes and New APIs

    Supports new body parameters for a Defender daemonset script

    You can use the following new optional body parameters in POST, api/vVERSION/defenders/helm/twistlock-defender-helm.tar.gz and POST, api/vVERSION/defenders/daemonset.yaml to create a daemonset install script for a Defender with customized parameters: * Annotations * Tolerations * CPULimit * MemoryLimit * PriorityClassName * RoleARN

    API support for Agentless Scanning

    Adds support for agentless scanning for vulnerabilities and compliance in hosts and containers. You can use the following APIs: POST, api/vVERSION/agentless/templates: Downloads a tarball file containing the agentless resource templates required with the credential for onboarding. POST, api/vVERSION/agentless/scan: Starts an agentless scan. GET, api/vVERSION/agentless/progress: Displays the progress of an ongoing scan. POST, api/vVERSION/agentless/stop: Stops an ongoing scan.

    Improved Severity Assessment with Exploit Data

    Introduces a response parameter exploit for better severity assessment and improved risk factor calculation in the following APIs: * GET, api/vVERSION/images * GET, api/vVERSION/hosts * GET, api/vVERSION/serverless
    The improved features include the following: * Enriched PoC data that helps assigning a vulnerability with a PoC published around the web. * New risk factor, Exploit in the wild, provides information about which CVEs (from CISA KEV) have a proven risk of being exploited. * Create alert/block policies for exploits in the wild vulnerabilities, as well as for CVEs with PoC. * Improved mechanism for detecting Remote execution and DoS risk factors.
    New environmental risk factors that adds to better and improved risk score calculation:
    • Sensitive information: Provided in environment variables or private keys and is stored in image or serverless function.
    • Root Mount: Indicates that the vulnerability exists in a container with access to the host filesystem.
    • Runtime socket: Indicates that the vulnerability exists in a container with access to the host container runtime socket.
    • Host Access: Indicates that the vulnerability exists in a container with access to the host namespace, network, or devices.
    You can use the exploit data to understand the exploit type, its kind, and get more information from the source where it’s listed.

    Support for Audit Records through APIs

    Adds support for Audits APIs to create and store audit event records for all controls.
    The following new API endpoints are now supported:
    • GET, api/vVERSION/audits/mgmt
    • GET, api/vVERSION/audits/mgmt/filters
    • GET, api/vVERSION/audits/mgmt/download
    • GET, api/vVERSION/audits/access
    • GET, api/vVERSION/audits/access/download
    • GET, api/vVERSION/audits/admission
    • GET, api/vVERSION/audits/admission/download
    • PATCH, api/vVERSION/audits/incidents/acknowledge/{id}
    • GET, api/vVERSION/audits/firewall/app/app-embedded
    • GET, api/vVERSION/audits/firewall/app/app-embedded/download
    • GET, api/vVERSION/audits/firewall/app/app-embedded/timeslice
    • GET, api/vVERSION/audits/firewall/app/container
    • GET, api/vVERSION/audits/firewall/app/container/download
    • GET, api/vVERSION/audits/firewall/app/container/timeslice
    • GET, api/vVERSION/audits/firewall/app/host
    • GET, api/vVERSION/audits/firewall/app/host/download
    • GET, api/vVERSION/audits/firewall/app/host/timeslice
    • GET, api/vVERSION/audits/firewall/app/serverless
    • GET, api/vVERSION/audits/firewall/app/serverless/download
    • GET, api/vVERSION/audits/firewall/app/serverless/timeslice
    • GET, api/vVERSION/audits/firewall/app/agentless
    • GET, api/vVERSION/audits/firewall/app/agentless/timeslice
    • GET, api/vVERSION/audits/firewall/app/agentless/download
    • GET, api/vVERSION/audits/firewall/network/container
    • GET, api/vVERSION/audits/firewall/network/container/download
    • GET, api/vVERSION/audits/firewall/network/host
    • GET, api/vVERSION/audits/firewall/network/host/download
    • GET, api/vVERSION/audits/kubernetes
    • GET, api/vVERSION/audits/kubernetes/download
    • GET, api/vVERSION/audits/runtime/app-embedded
    • GET, api/vVERSION/audits/runtime/app-embedded/download
    • GET, api/vVERSION/audits/runtime/container
    • GET, api/vVERSION/audits/runtime/container/download
    • GET, api/vVERSION/audits/runtime/container/timeslice
    • GET, api/vVERSION/audits/runtime/file-integrity
    • GET, api/vVERSION/audits/runtime/file-integrity/download
    • GET, api/vVERSION/audits/runtime/host
    • GET, api/vVERSION/audits/runtime/host/download
    • GET, api/vVERSION/audits/runtime/host/timeslice
    • GET, api/vVERSION/audits/runtime/log-inspection
    • GET, api/vVERSION/audits/runtime/log-inspection/download
    • GET, api/vVERSION/audits/runtime/serverless
    • GET, api/vVERSION/audits/runtime/serverless/download
    • GET, api/vVERSION/audits/runtime/serverless/timeslice
    • GET, api/vVERSION/audits/trust
    • GET, api/vVERSION/audits/trust/download

    Immediate Image Scanning

    Introduces a body parameter, onDemandScan, that triggers an on-demand image scan without interrupting the current or ongoing scan for the following API: * POST, api/vVERSION/registry/scan
    The image’s registry must be predefined in the registry settings.

    Severity Level Based Report for Vulnerabilities

    Introduces a query parameter normalizedSeverity for host, images, registry, VMs, and serverless APIs to report vulnerabilities based on severity level.
    You can use the following APIs to report vulnerabilities based on the normalized severity:
    • GET, api/vVERSION/images
    • GET, api/vVERSION/images/download
    • GET, api/vVERSION/hosts
    • GET, api/vVERSION/hosts/download
    • GET, api/vVERSION/serverless
    • GET, api/vVERSION/serverless/download
    • GET, api/vVERSION/registry
    • GET, api/vVERSION/registry/download
    • GET, api/vVERSION/vms,
    • GET, api/vVERSION/vms/download

    Supports Viewing 250 Reports or Entries Per Page

    The query parameter limit now supports a page size of 250 entries or reports. The default value is 50 entries or reports per page.
    For example: Use the following way to retrieve the first 250 reports with a limit query parameter for an API endpoint /hosts:
    $ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  ‘https://<CONSOLE>/api/v<VERSION>/hosts?limit=250&offset=0’

    Support for More Registry Entries

    You can now add or edit up to 19,999 registry entries by using the following API: * POST, api/vVERSION/settings/registry * PUT, api/vVERSION/settings/registry

    DISA STIG Scan Findings and Justifications

    Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

    Addressed Issues

    • Fixed a JAR naming detection mismatch in scan results to match with the CVE data we have in the Intelligence Stream (IS). The JAR names in Prisma under
      Monitor > Vulnerabilities > Images/Hosts > Deployed | CI
       now match with the Maven repo standards. Now, when the GroupID of the JAR can’t be found in the file and only the ArtifactID is detected, we identify the JAR file by other identifiers. Only the ArtifactID will be present in the scan results.
    • For any feed collected by IS that does not provide a fix date for CVE, Prisma Cloud Compute will determine the fix date as the date when the fix for the CVE was first seen by the Intelligence Stream. Therefore, the calculation for the grace period will now start with the date on which the CVE fix was seen on the Intelligence Stream and not the CVE publish date.
      For example, if a CVE was first discovered without a fix, and a fix was released later, the grace period for fixing the CVE would start from the date the fix was published, even though the vendor feed didn’t provide us with an explicit fix date.
      For the feeds that provide a fix date for the CVEs (such as RHEL), the fix date will always be determined as the fix date provided by the vendor, and the grace period will be calculated using this fix date.
      There will be no change in the fix date for the existing CVEs in the IS, only the fix date for the new CVE fixes starting from Lagrange will change.
      With this update, all supported version of Console will receive the change for CVEs with no fix date provided by the vendor, because the change is on the Intelligence Stream (IS) which is avialable to all supported versions of Console.
      Refer to the Vulnerability management rules for more information.
    • For some package types, the process for inferring the fix status for CVEs that didn’t have a fix status before is improved.
      The package types improved are:
      • jar
      • python
      • Application packages such as MySQL, Java, Jenkins.
    • Fixed the serverless compliance results CSV report. The functions with no compliance/vulnerability issues were not added to the serverless compliance CSV report, this is now fixed and the report now includes all functions irrespective of Compliance/Vulnerabilities issues.
      A new "Compliance ID" column is added to indicate the compliance-related issues specifically.
    • Python package info is updated to include the path.

    Backward Compatibility for New Features

    Feature name
    Unsupported Component (Defender/twistcli)
    Details
    Risk-Factor Based Actions
    Defenders and twistcli
    Previous versions of Defenders and twistcli will not be able to enforce the policy actions that are based on risk factors.
    Exceptions for Base Image Vulnerabilities
    Defenders and twistcli
    Previous versions of Defenders and twistcli will not be able to enforce excluding base image vulnerabilities from the scan results.
    Upgrade Confirmation for Defenders on Tanzu
    Defenders
    The confirmation for upgrade will take effect for v22.12 (Lagrange) upgrades . The first upgrade from 22.06 to 22.12 will still upgrade existing Defenders.
    Custom Certificate Trust for Registry Scanning
    Defenders
    Previous versions of Defenders will not support using the configured custom CA certificate while scanning the registry
    Support for Distro-level Exclusions in Package Vulnerability Scans
    Defenders
    The change will not apply for scans performed by previous versions of Defenders.
    Regional STS Endpoint Support for Defender on AWS
    Defenders
    Previous versions of Defenders will not support using regional STS endpoint for scans in the cloud account.
    Path and Layer Information in Syslog Output
    twistcli
    Previous version of twistcli will not support the path and layer information in the JSON scan results.
    Individual Effects per Protection for container Runtime Policy
    Defenders
    Previous versions of Defenders will not support individual effects per protection. The least severe effect from the policy configured in the Console will be set as the single effect which the old Defender will use to enforce the policy.
    Support for JFrog Artifactory Registry Scan on JFrog Cloud
    Defenders
    Previous versions of Defenders will not be able to scan JFrog Cloud registry. Only the 22.12 Defenders will be selected from the scanners scope to scan the JFrog Cloud registry.
    JAR Vulnerability Detection Improvement
    Defenders
    The improvements will not apply for scans performed by previous versions of Defenders.
    Vulnerability Assessment for Go Packages
    Defenders
    The improvements will not apply for scans performed by previous versions of Defenders.
    FIPS 140-2 certification
    Defenders
    Previous versions of Defenders will not be FIPS 140-2 compliant.
    In-Depth Scanning for Nested Java Archives
    Defenders
    The improvements will not apply for scans performed by old Defenders
    JWT Parsing
    Defender
    Previous versions of Defenders will not parse JWT payloads and extract the entire payload or a specific attribute.
    [Out of Band] Support TLS in WAAS Out of Band Rules
    Defender
    Previous versions of Defenders will not support TLS in out of band rules.
    Auto Apply WAAS Virtual Patches Based on CVEs in Image Scan
    Defender
    Previous versions of Defenders will not apply a WAAS virtual patch to the application firewall.
    Allow list to Bypass Geo Access Control
    Defender
    Previous versions of Defender will not support an "allow list" to bypass Geo Access Control.
    Application Control for Linux Hosts
    Defender
    Previous versions of Defender will not control which applications and versions are allowed to run on your hosts.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.