: Features Introduced in April 2023
Focus
Focus

Features Introduced in April 2023

Table of Contents

Features Introduced in April 2023

The host, container, and serverless capabilities on the
Compute
tab are being upgraded starting on Apr 23, 2023. When upgraded, the version will be 30.00.140.

New Features in Prisma Cloud Compute

Feature
Description
CVE Coverage Update
As part of the 30.00 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
  • Fixed CVE-2023-28840 (Severity: high) - Package: github.com/docker/docker
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-27561 (Severity: high) - Package: github.com/opencontainers/runc
    Fixed by upgrading to runc v1.1.5.
  • Fixed CVE-2023-28642 (Severity: moderate) - Package: github.com/opencontainers/runc
    Fixed by upgrading to runc version v1.1.5.
  • Fixed CVE-2023-28841 (Severity: moderate) - Package: github.com/docker/docker
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-28842 Severity: moderate - Package: github.com/docker/docker
    Fixed by upgrading to docker version v20.10.24.
  • Fixed CVE-2023-0361 (Severity: moderate) - Package: gnutls
    Fixed by upgrading the gnutls (RHEL 8 package)
  • Fixed CVE-2023-25809 (Severity: low) - Package: github.com/opencontainers/runc
    Fixed by upgrading to runc version v1.1.5.
Enhancements
Tanzu Blobstore Update
Improved the web interface to add and configure a VMWare Tanzu blobstore under
Defend > Access > VMWare Tanzu blobstore
.
Defender Settings
Improved the web interface for the advanced Defender settings under
Manage > Defenders > Settings
.
Collections
Improved the web interface for Collections (
Manage > Collections and Tags
). You can now view a summary of each collection in the sidecar, which covers resource data and usage data of the collection.
New Features in Agentless Security
Agentless Scanning Support for Windows Hosts
You can now use agentless scanning to scan Windows hosts for vulnerabilities and compliance issues on Amazon Web Services, Google Cloud Platform, and Microsoft Azure. Agentless scanning supports the following versions of Windows.
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
Agentless scanning is not supported for containers running on Windows hosts.
Support for Bottlerocket
Agentless scanning for vulnerabilities and compliance is now supported on Bottlerocket.
Support for Encrypted Volume Agentless Scanning with AWS Hub Accounts
You can now use agentless scanning with your AWS hub accounts to scan encrypted volumes.
Support for Shared VPC in GCP
Agentless scanning in GCP now supports specifying a shared subnet to communicate back to Prisma Cloud. Using a shared VPC requires you to grant Prisma Cloud additional permissions to create and manage the VPC. If you are not using a shared VPC, you can use the existing permission template to configure agentless scanning.
New Features in Core
New Release Numbering Format
Starting from this release, that is named 30.00.140, the Prisma Cloud versions have a new release numbering format major release.minor release.build. The major release is a number 30, in this case, followed by the minor release sequence that will start with 00 (first release), 01 (minor 1), 02 (minor 2), and so on.
For example, the next maintenance release will be 30.01.build, and maintenance update 2 will be 30.02.build.
Cloud Radar Improvements
Improved filters and performance in
Radars > Cloud
.
Runtime Protection Support for Photon OS 4.0 Hosts
Added runtime protection using Defenders for your Photon OS 4.0 hosts.
Support Vulnerability Management for CentOS Stream 9
Added support for CentOS Stream 9 for vulnerability scanning.
Support .NET NuGet Package
Added support for vulnerability scanning of the NuGet package for .NET for images, functions, and hosts. For hosts, the scan is supported using twistcli only.
Support OEL 7
Added support for Oracle Enterprise Linux 7 on x86.
Support for RHEL 9
Added support for RedHat Enterprise Linux 9 on x86 and on ARM.
Host VM Tags Collection Update
VM tags are now identified during the platform cloud discovery. You can create new host collections using the tag metadata of the cloud hosts. The tags propagate to your images and containers belonging to the host. Additional tags captured during Defender deployment are appended to the existing tag list and are also available to you when creating new host collections.
New Features in Host Security
Support for CBL-Mariner on Hosts
Added support for CBL-Mariner 2.0 on x86 for vulnerability scanning, compliance scanning, and runtime protection. Prisma Cloud tested CBL-Mariner on AKS running on HCI environment.
New Features in Serverless Security
Cloud Account Onboarding includes Serverless Scanning
To make it easier to configure serverless scanning, you can now configure serverless scanning when you add a new cloud account. The change the serverless configuration, select
Compute > Manage > Cloud accounts
, click
Edit
.
New features in Web Application and API Security (WAAS)
Customizable CAPTCHA for WAAS Bot Protection
You can now embed a custom reCAPTCHA page branded to fit your application and protect your website from spam and abuse. The WAAS Bot Protection is available on
Defend > WAAS > Active Bot Detection
.
Amazon EC2 Auto Scaling Support for WAAS Agentless
The agentless app firewall permissions template for AWS has been revised to include a policy to support Auto Scaling of EC2 instances. To enable auto scaling, you must update your AWS CloudFormation permission template.

API Changes

CHANGE
DESCRIPTION
Adds Cache-control Header for all API Responses
Adds a header Cache-control: no-store in the API response to control storing of cache for all API requests.
Supports Amazon EC2 Auto Scaling in WAAS Agentless Deployment
WAAS agentless deployment now supports automatic scaling of WAAS observers to handle a large amount of network traffic or sudden increase of traffic volume.
By default, the feature is disabled. You can enable the feature by using the PUT method in the following API endpoint:
/api/vVERSION/policies/firewall/app/agentless
  • autoScalingEnabled: Enables the auto scaling using Amazon EC2 Auto Scaling feature for a VPC observer handling multiple network instances.
    Default: False
  • autoScalingMaxInstances: Specifies the maximum deployed instances for autoscaling deployment.
    Values: 1 - 10. Default: 0

Breaking Changes in API

Cloud Discovery API Endpoint Updates for Response Pagination

The
GET, /api/vVERSION/cloud/discovery
API endpoint now returns a paginated response of 50 results instead of all results in a single response.
This change is implemented in n-2 versions.
The request and response schema of this API are updated. In the reponse, the
entities
object in
GET, /api/vVERSION/cloud/discovery
is moved to another endpoint
GET, /api/v1/cloud/discovery/entities
. For more information, see the new parameters.

DISA STIG Scan Findings and Justifications

Every release, we perform an SCAP scan of the Prisma Cloud Compute Console and Defender images. The process is based upon the U.S. Air Force’s Platform 1 "Repo One" OpenSCAP scan of the Prisma Cloud Compute images. We compare our scan results to IronBank’s latest approved UBI8-minimal scan findings. Any discrepancies are addressed or justified.

Backward Compatibility for New Features

FEATURE NAME
Unsupported Component (Defender/twistcli)
DETAILS
Customizable CAPTCHA page for WAAS Bot Protection
Defenders
Previous versions of Defenders will not support customizing eCAPTCHA for WAAS Bot protection.

End of Support Notifications

Notices
End of Support for the Serverless Scan API Endpoint
The
/api/vVERSION/settings/serverless-scan
API route is no longer supported.

Changes in Existing Behavior

Defender Upgrade Based on Collection Filter
The API endpoint
/api/vVERSION/defenders/upgrade
supports upgrading to all the eligible Defenders by filtering based on the query parameter
collections
that are assigned to your user role. This change was introduced in 22.12.694 build. If you are upgrading from a version earlier than 22.12.694 to 30.00, this behavior will now be in effect.
API Discovery Retention Policy
On the WAAS API Discovery database, if the database has reached its storage capacity and new path entries are added for API endpoints, the Console utilizes the 'Last Observed' date to remove older entries and improve the utilization of the available resources. When an image or an API endpoint is deleted from the database, an alert is generated, and the details are written to the Console logs.
This change was introduced in 22.12.582. If you are upgrading from a version earlier than 22.12.582 to 30.00, this retention policy will now be in effect.
Name Resolution Change in AKS Clusters
Previous versions show the value of the server field of the cluster kubeconfig file with the node running the Defender. Now, daemonset Defenders report the same cluster name displayed in the Azure portal in their scans. This change only applies to nodes in resource groups using the default format Azure assigns to AKS node resource groups. If you have a custom name for the AKS node resource group or the name can’t be resolved, the value of the server field of the cluster kubeconfig file is shown.
API Versioning with new Release Numbering Format
Starting with version 30.xx, each maintenance release (like 30.01, 30.02, and so on) may contain new features and improvements. As a result, the URLs for the APIs will be updated to reflect the version.
You can use different
.xx
versions of the API at the same time for your automation requirements as we continue to support backward compatibility for two major including minor (maintenance) release versions behind the current one (n-2). For example, while on build 30.01, you can continue to use the API paths such as
api/v30.00
,
api/v22.12
, and
api/v22.06
due to backward compatibility.
Though we recommend you to update scripts to use the current or new API paths, you won’t need to worry about making changes to your code immediately when a new major or minor (maintenance) release is announced.

Recommended For You