30.00 Release Notes
The following table outlines the release particulars:
Build | 30.00.140 |
Code name | Maxwell |
Release date | Apr 23, 2023 |
Type | Major release |
SHA-256 | 6d9412c019e0ad16624657285493e8d4f610556b0c8b4a7cace2fe33f2d99f96 |
Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.
CVE Coverage Update
As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
- Fixed CVE-2023-28840 (Severity: high) || Package: github.com/docker/dockerFixed by upgrading to docker version v20.10.24.
- Fixed CVE-2023-27561 (Severity: high) || Package: github.com/opencontainers/runcFixed by upgrading to runc v1.1.5.
- Fixed CVE-2023-28642 (Severity: moderate) || Package: github.com/opencontainers/runcFixed by upgrading to runc version v1.1.5.
- Fixed CVE-2023-28841 (Severity: moderate) || Package: github.com/docker/dockerFixed by upgrading to docker version v20.10.24.
- Fixed CVE-2023-28842 Severity: moderate || Package: github.com/docker/dockerFixed by upgrading to docker version v20.10.24.
- Fixed CVE-2023-0361 (Severity: moderate) || Package: gnutlsFixed by upgrading the gnutls (RHEL 8 package)
- Fixed CVE-2023-25809 (Severity: low) || Package: github.com/opencontainers/runcFixed by upgrading to runc version v1.1.5.
UI Enhancements
Tanzu Blobstore Update
Improved the web interface to add and configure a VMWare Tanzu blobstore under
Defend > Access > VMWare Tanzu blobstore
.
Defender Settings
Improved the web interface for the advanced Defender settings under
Manage > Defenders > Settings
.
Collections
Improved the web interface for Collections (
Manage > Collections and Tags
). You can now view a summary of each collection in the sidecar, which covers resource data and usage data of the collection.
New Features in Agentless Security
Agentless Scanning Support for Windows Hosts
You can now use agentless scanning to scan Windows hosts for vulnerabilities and compliance issues on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Agentless scanning supports the following versions of Windows.
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Agentless scanning is not supported for containers running on Windows hosts.
Support for Bottlerocket
Agentless scanning for vulnerabilities and compliance is now supported on Bottlerocket.
Support for Encrypted Volume Agentless Scanning with AWS Hub Accounts
You can now use agentless scanning with your AWS hub accounts to scan encrypted volumes.
New Features in Core
New Release Numbering Format
Starting from this release, that is named 30.00.140, the Prisma Cloud versions have a new release numbering format major release.minor release.build.
The major release is a number 30, in this case, followed by the minor release sequence that will start with 00 (first release), 01 (minor 1), 02 (minor 2), and so on.
For example, the next maintenance release will be 30.01.build, and maintenance update 2 will be 30.02.build.
Cloud Radar Improvements
Improved filters and performance in
Radars > Cloud
.
Runtime Protection Support for Photon OS 4.0 Hosts
Added runtime protection using Defenders for your Photon OS 4.0 hosts.
Support Vulnerability Management for CentOS Stream 9
Added support for CentOS Stream 9 for vulnerability scanning.
Update to Host VM Tags Collection
VM tags are now identified during the platform cloud discovery. You can create new host collections using the tag metadata of the cloud hosts. The tags propagate to your images and containers belonging to the host. Additional tags captured during Defender deployment are appended to the existing tag list and are also available to you when creating new host collections.
User Management Role
You can define two distinct system roles to manage authentication permissions. This change gives you more granular control over these permissions. The permissions of the old Authentication system role are now split into the User Management and Authentication Configuration system roles.
Support .NET NuGet Package
Added support for vulnerability scanning of the NuGet package for .NET for images, functions, and hosts. For hosts, the scan is supported using twistcli only.
Support OEL 7
Added support for Oracle Enterprise Linux 7 on x86.
Support for RHEL 9
Added support for RedHat Enterprise Linux 9 on x86 and on ARM.
New Features in Host Security
Support for CBL-Mariner on Hosts
Added support for CBL-Mariner 2.0 on x86 for vulnerability scanning, compliance scanning, and runtime protection. Prisma Cloud tested CBL-Mariner on AKS running on HCI environment.
New Features in Serverless
Cloud Account Onboarding includes Serverless Scanning
To make it easier to configure serverless scanning, you can now configure serverless scanning when you add a new cloud account (
Manage > Cloud accounts
).
To change the serverless configuration go to Manage > Cloud accounts
, click Edit
, and make the needed changes.
New Features in WAAS
Customizable CAPTCHA page for WAAS Bot protection
You can now embed a custom reCAPTCHA page branded to fit your application and protect your website from spam and abuse. The WAAS Bot Protection is available on
Defend > WAAS > Active Bot Detection
.
Amazon EC2 Auto Scaling support in WAAS Agentless
The agentless app firewall permissions template for AWS has been revised to include a policy to support Auto Scaling of EC2 instances.
To enable Auto Scaling, you must update your AWS CloudFormation permission template.
API Changes and New APIs
Supports Amazon EC2 Auto Scaling in WAAS agentless deployment
WAAS agentless deployment now supports automatic scaling of WAAS observers to handle a large amount of network traffic or sudden increase of traffic volume.
By default, the feature is disabled. You can enable the feature by using the PUT method in the following API endpoint:
/api/vVERSION/policies/firewall/app/agentless
- autoScalingEnabled: Enables the auto scaling using Amazon EC2 Auto Scaling feature for a VPC observer handling multiple network instances.Default: FalseautoScalingMaxInstances: Specifies the maximum deployed instances for autoscaling deployment.Values: 1 - 10. Default: 0
Breaking Changes in API
Cloud Discovery API Endpoint Updates for Response Pagination
The
GET, /api/vVERSION/cloud/discovery
API endpoint now returns a paginated response instead of all results in a single response.The request and response schema of this API have been updated to implement this change. The entities object in
GET, /api/vVERSION/cloud/discovery
is moved to another endpoint GET, /api/v1/cloud/discovery/entities
.You must update your scripts to use the
limit
and offset
parameters to get more than 50 results in a single response.DISA STIG Scan Findings and Justifications
Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.
Addressed Issues
- Fixed false "Passed" result caused when both alert threshold and failure threshold are off, with exceptions for specific CVEs. Exceptions set to fail now fail as expected, even when the thresholds are off.
- Fixed a bug in the App-embedded Defender scan results filtering to avoid showing the removed or disconnected instances of the images.
- Fixed Missing Vulnerabilities of JARs on non-Maven Packages.
- Fixed an issue with the missing paths for the ruby packages in the scan results. The package path inMonitor > Vulnerabilities/Compliance > Imagesis useful in identifying where the package is installed in your environment.
- Fixed Missing Vulnerabilities for Oracle Linux.
- Fixed an issue on the AWS US Gov region to enable successful forwarding of alerts to the AWS Security Hub integration.
Backward Compatibility for New Features
Feature name | Unsupported Component (Defender/twistcli) | Details |
|---|---|---|
Customizable CAPTCHA page for WAAS Bot protection | Defenders | Previous versions of Defenders will not support customizing eCAPTCHA for WAAS Bot protection. |
End of Support Notifications
Ends support for the serverless scan API endpoint
The
/api/vVERSION/settings/serverless-scan
API route is no longer supported.Change in Behavior
Upgrade Defender based on a collection filter
The API endpoint
/api/vVERSION/defenders/upgrade
supports upgrading to all the eligible Defenders by filtering based on the query parameter collections
that are assigned to your user role.This change was introduced in 22.12.694 build. If you are upgrading from a version earlier than 22.12.694 to 30.00, this behavior will now be in effect.
Change in API versioning
Starting with version 30.xx, each maintenance release (like 30.01, 30.02, and so on) may contain new features and improvements. As a result, the URLs for the APIs will be updated to reflect the version.
You can use different
.xx
versions of the API at the same time for your automation requirements as we continue to support backward compatibility for two major including minor (maintenance) release versions behind the current one (n-2). For example, while on build 30.01, you can continue to use the API paths such as api/v30.00
, api/v22.12
, and api/v22.06
due to backward compatibility.Though we recommend you to update scripts to use the current or new API paths, you won’t need to worry about making changes to your code immediately when a new major or minor (maintenance) release is announced.
API Discovery Retention Policy
On the WAAS API Discovery database, if the database has reached its storage capacity and new path entries are added for API endpoints, the Console utilizes the 'Last Observed' date to remove older entries and improve the utilization of the available resources.
When an image or an API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs.
This change was introduced in 22.12.582. If you are upgrading from a version earlier than 22.12.582 to 30.00, this retention policy will now be in effect.
Changed the name resolution in AKS clusters.
Previous versions show the value of the server field of the cluster kubeconfig file with the node running the Defender. Now, daemonset Defenders report the same cluster name displayed in the Azure portal in their scans. This change only applies to nodes in resource groups using the default format Azure assigns to AKS node resource groups. If you have a custom name for the AKS node resource group or the name can’t be resolved, the value of the server field of the cluster kubeconfig file is shown.
