Prisma Cloud Compute Edition Release Notes
    : 30.00 Release Notes
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Release Notes
    5. Prisma Cloud Compute Edition Release Information
    6. 30.00 Release Notes
    Download PDF

    Prisma Cloud Compute Edition Release Notes

    30.00 Release Notes

    Table of Contents

    30.00 Release Notes

    The following table outlines the release particulars:
    Build
    30.00.140
    Code name
    Maxwell
    Release date
    Apr 23, 2023
    Type
    Major release
    SHA-256
    6d9412c019e0ad16624657285493e8d4f610556b0c8b4a7cace2fe33f2d99f96
    Review the system requirements to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.

    CVE Coverage Update

    As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
    • Fixed CVE-2023-28840 (Severity: high) || Package: github.com/docker/docker
      Fixed by upgrading to docker version v20.10.24.
    • Fixed CVE-2023-27561 (Severity: high) || Package: github.com/opencontainers/runc
      Fixed by upgrading to runc v1.1.5.
    • Fixed CVE-2023-28642 (Severity: moderate) || Package: github.com/opencontainers/runc
      Fixed by upgrading to runc version v1.1.5.
    • Fixed CVE-2023-28841 (Severity: moderate) || Package: github.com/docker/docker
      Fixed by upgrading to docker version v20.10.24.
    • Fixed CVE-2023-28842 Severity: moderate || Package: github.com/docker/docker
      Fixed by upgrading to docker version v20.10.24.
    • Fixed CVE-2023-0361 (Severity: moderate) || Package: gnutls
      Fixed by upgrading the gnutls (RHEL 8 package)
    • Fixed CVE-2023-25809 (Severity: low) || Package: github.com/opencontainers/runc
      Fixed by upgrading to runc version v1.1.5.

    UI Enhancements

    Tanzu Blobstore Update

    Improved the web interface to add and configure a VMWare Tanzu blobstore under
    Defend > Access > VMWare Tanzu blobstore
    .

    Defender Settings

    Improved the web interface for the advanced Defender settings under
    Manage > Defenders > Settings
    .

    Collections

    Improved the web interface for Collections (
    Manage > Collections and Tags
    ). You can now view a summary of each collection in the sidecar, which covers resource data and usage data of the collection.

    New Features in Agentless Security

    Agentless Scanning Support for Windows Hosts

    You can now use agentless scanning to scan Windows hosts for vulnerabilities and compliance issues on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Agentless scanning supports the following versions of Windows.
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
    Agentless scanning is not supported for containers running on Windows hosts.

    Support for Bottlerocket

    Agentless scanning for vulnerabilities and compliance is now supported on Bottlerocket.

    Support for Encrypted Volume Agentless Scanning with AWS Hub Accounts

    You can now use agentless scanning with your AWS hub accounts to scan encrypted volumes.

    Support for Shared VPC in GCP

    Agentless scanning in GCP now supports specifying a shared subnet to communicate back to Prisma Cloud. Using a shared VPC requires you to grant Prisma Cloud additional permissions to create and manage the VPC. If you are not using a shared VPC, you can use the existing permission template to configure agentless scanning.

    New Features in Core

    New Release Numbering Format

    Starting from this release, that is named 30.00.140, the Prisma Cloud versions have a new release numbering format major release.minor release.build. The major release is a number 30, in this case, followed by the minor release sequence that will start with 00 (first release), 01 (minor 1), 02 (minor 2), and so on.
    For example, the next maintenance release will be 30.01.build, and maintenance update 2 will be 30.02.build.

    Cloud Radar Improvements

    Improved filters and performance in
    Radars > Cloud
    .

    Runtime Protection Support for Photon OS 4.0 Hosts

    Added runtime protection using Defenders for your Photon OS 4.0 hosts.

    Support Vulnerability Management for CentOS Stream 9

    Added support for CentOS Stream 9 for vulnerability scanning.

    Update to Host VM Tags Collection

    VM tags are now identified during the platform cloud discovery. You can create new host collections using the tag metadata of the cloud hosts. The tags propagate to your images and containers belonging to the host. Additional tags captured during Defender deployment are appended to the existing tag list and are also available to you when creating new host collections.

    User Management Role

    You can define two distinct system roles to manage authentication permissions. This change gives you more granular control over these permissions. The permissions of the old Authentication system role are now split into the User Management and Authentication Configuration system roles.

    Support .NET NuGet Package

    Added support for vulnerability scanning of the NuGet package for .NET for images, functions, and hosts. For hosts, the scan is supported using twistcli only.

    Support OEL 7

    Added support for Oracle Enterprise Linux 7 on x86.

    Support for RHEL 9

    Added support for RedHat Enterprise Linux 9 on x86 and on ARM.

    New Features in Host Security

    Support for CBL-Mariner on Hosts

    Added support for CBL-Mariner 2.0 on x86 for vulnerability scanning, compliance scanning, and runtime protection. Prisma Cloud tested CBL-Mariner on AKS running on HCI environment.

    New Features in Serverless

    Cloud Account Onboarding includes Serverless Scanning

    To make it easier to configure serverless scanning, you can now configure serverless scanning when you add a new cloud account (
    Manage > Cloud accounts
    ). To change the serverless configuration go to
    Manage > Cloud accounts
    , click
    Edit
    , and make the needed changes.

    New Features in WAAS

    Customizable CAPTCHA page for WAAS Bot protection

    You can now embed a custom reCAPTCHA page branded to fit your application and protect your website from spam and abuse. The WAAS Bot Protection is available on
    Defend > WAAS > Active Bot Detection
    .

    Amazon EC2 Auto Scaling support in WAAS Agentless

    The agentless app firewall permissions template for AWS has been revised to include a policy to support Auto Scaling of EC2 instances. To enable Auto Scaling, you must update your AWS CloudFormation permission template.

    API Changes and New APIs

    Supports Amazon EC2 Auto Scaling in WAAS agentless deployment

    WAAS agentless deployment now supports automatic scaling of WAAS observers to handle a large amount of network traffic or sudden increase of traffic volume.
    By default, the feature is disabled. You can enable the feature by using the PUT method in the following API endpoint:
    /api/vVERSION/policies/firewall/app/agentless
    • autoScalingEnabled: Enables the auto scaling using Amazon EC2 Auto Scaling feature for a VPC observer handling multiple network instances.
      Default: False
    • autoScalingMaxInstances: Specifies the maximum deployed instances for autoscaling deployment.
      Values: 1 - 10. Default: 0

    Breaking Changes in API

    Cloud Discovery API Endpoint Updates for Response Pagination

    The
    GET, /api/vVERSION/cloud/discovery
     API endpoint now returns a paginated response instead of all results in a single response.
    This change is implemented in n-2 versions and applies to 30.00, 22.12, and 22.06.
    The request and response schema of this API have been updated to implement this change. The entities object in
    GET, /api/vVERSION/cloud/discovery
     is moved to another endpoint
    GET, /api/v1/cloud/discovery/entities
    .
    You must update your scripts to use the
    limit
     and
    offset
     parameters to get more than 50 results in a single response.

    DISA STIG Scan Findings and Justifications

    Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

    Addressed Issues

    • Fixed false "Passed" result caused when both alert threshold and failure threshold are off, with exceptions for specific CVEs. Exceptions set to fail now fail as expected, even when the thresholds are off.
    • Fixed a bug in the App-embedded Defender scan results filtering to avoid showing the removed or disconnected instances of the images.
    • Fixed Missing Vulnerabilities of JARs on non-Maven Packages.
    • Fixed an issue with the missing paths for the ruby packages in the scan results. The package path in
      Monitor > Vulnerabilities/Compliance > Images
       is useful in identifying where the package is installed in your environment.
    • Fixed Missing Vulnerabilities for Oracle Linux.
    • Fixed an issue on the AWS US Gov region to enable successful forwarding of alerts to the AWS Security Hub integration.

    Backward Compatibility for New Features

    Feature name
    Unsupported Component (Defender/twistcli)
    Details
    Customizable CAPTCHA page for WAAS Bot protection
    Defenders
    Previous versions of Defenders will not support customizing eCAPTCHA for WAAS Bot protection.

    End of Support Notifications

    Ends support for the serverless scan API endpoint

    The
    /api/vVERSION/settings/serverless-scan
     API route is no longer supported.

    Change in Behavior

    Upgrade Defender based on a collection filter

    The API endpoint
    /api/vVERSION/defenders/upgrade
     supports upgrading to all the eligible Defenders by filtering based on the query parameter
    collections
     that are assigned to your user role.
    This change was introduced in 22.12.694 build. If you are upgrading from a version earlier than 22.12.694 to 30.00, this behavior will now be in effect.

    Change in API versioning

    Starting with version 30.xx, each maintenance release (like 30.01, 30.02, and so on) may contain new features and improvements. As a result, the URLs for the APIs will be updated to reflect the version.
    You can use different
    .xx
     versions of the API at the same time for your automation requirements as we continue to support backward compatibility for two major including minor (maintenance) release versions behind the current one (n-2). For example, while on build 30.01, you can continue to use the API paths such as
    api/v30.00
    ,
    api/v22.12
    , and
    api/v22.06
     due to backward compatibility.
    Though we recommend you to update scripts to use the current or new API paths, you won’t need to worry about making changes to your code immediately when a new major or minor (maintenance) release is announced.

    API Discovery Retention Policy

    On the WAAS API Discovery database, if the database has reached its storage capacity and new path entries are added for API endpoints, the Console utilizes the 'Last Observed' date to remove older entries and improve the utilization of the available resources. When an image or an API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs.
    This change was introduced in 22.12.582. If you are upgrading from a version earlier than 22.12.582 to 30.00, this retention policy will now be in effect.

    Changed the name resolution in AKS clusters.

    Previous versions show the value of the server field of the cluster kubeconfig file with the node running the Defender. Now, daemonset Defenders report the same cluster name displayed in the Azure portal in their scans. This change only applies to nodes in resource groups using the default format Azure assigns to AKS node resource groups. If you have a custom name for the AKS node resource group or the name can’t be resolved, the value of the server field of the cluster kubeconfig file is shown.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.