Features Introduced in February 2023

The host, container, and serverless capabilities on the
Compute
tab are being upgraded starting on Feb 15, 2023. When upgraded the version will be 22.12.582.

New Features in Prisma Cloud Compute

Feature
Description
CVE Coverage Update
As part of the 22.12 release, Prisma Cloud has rolled out updates to its vulnerability data for Common Vulnerabilities and Exposures (CVEs) in the Intelligence Stream. The new additions are as follows:
  • Fixed CVE-2022-41717 and CVE-2022-27664: Updated the golang.org/x/net Go module to v0.5.0. WAAS deployments were affected if you have a HTTP2 applications and have deployed WAAS to inspect HTTP2 traffic. Upgrade your Prisma Cloud Defenders if you use WAAS to inspect HTTP2 traffic.
  • Fixed CVE-2023-0247: Updated the bits-and-blooms/bloom Go module to v3.3.1.
  • CVE-2022-41721 is included in the Intelligence Stream feed. Prisma Cloud doesn’t use MaxBytesHandler and this vulnerability doesn’t impact Prisma Cloud components. You can continue to run any of the supported Prisma Cloud releases without risk from this vulnerability. To remove the vulnerability alert, upgrade to the latest 22.12 release. If you are not ready to upgrade right away, add an exception in the default
    Ignore Twistlock Components
    rule. Go to
    Defend > Vulnerabilities > Images > Deployed
    to add the exception to suppress the vulnerability alerts for CVE-2022-41721.
  • CVE-2022-1996 is included in the Intelligence Stream feed. The Go-Restful package is a transitive dependency that is pulled with k8s.io/client-go and `k8s.io/kube-openapi`and is not being used directly in the Compute Defender and Console, thus it is suppressed.
  • The ubi-minimal base image packages are updated to the latest.
Enhancements
Added support for cgroupv2:
  • Scans
    :
    • Full support for cgroup v1 and cgroup v2.
    • Hybrid mode not supported: this will not fail the scan, but the scan will run without the process limitation protection.
  • WAAS
    :
    • In-Line firewall:
      • Full support for cgroup v1 and cgroup v2.
      • Hybrid mode: partially supported. It is supported if the memory and CPU controllers are both under the legacy hierarchy (v1). Otherwise, the firewall will fail.
    • Out-Of-Band firewall:
      • Only cgroup v1 is fully supported.
      • Cgroup v2: not supported. The firewall will run but the memory limit of the defender’s cgroup will not be increased.
      • Hybrid mode: partially supported. Same as WAAS In-Line.
  • Support
    : cgroup v2 is not supported for Talos and other operating systems that don’t have systemd.
Added support for Oracle Enterprise Linux (OEL) 8 and 9.
You can now run Defenders on OEL 8 and 9 hosts. Prisma Cloud now also protects OEL containers and images.
Added support for Red Hat Enterprise Linux 9 on X86 architecture.
You can now run Defenders on RHEL 9 hosts. Prisma Cloud now also protects RHEL 9 containers and images.
Added support for Rocky Linux 8 and 9.
You can now run Defenders on hosts running Rocky Linux 8 and 9. Prisma Cloud now also protects Rocky Linux containers and images.
Added support for Windows Server 2022.
  • Container Defenders support the following features for Windows Server 2022.
    • Windows compliance scans
    • Vulnerability scans
    • Registry scans
    • Runtime scans
    • CNNS
    • Windows metadata scans in Alibaba, AWS, Azure, and GCP
  • Host Defenders support the following features for Windows Server 2022.
    • Windows compliance scans
    • Vulnerability scans
    • WAAS scans
    • Windows metadata scans in Alibaba, AWS, Azure, and GCP
Improved registry scan logs.
Registry scan logs (
Manage > Logs > Console
) now include information about registry scans that failed if there is no Defender available to scan the registry.
Added WAAS support for whitespace in JSON (body) Firewall exception.
Add log when package manager files are missing in the scan
Added a log in cases when during image scan, the package manager folders required for the scan (e.g, /var/lib/dpkg) don’t exist. The log will appear either in the Defender logs or twistcli stdout. In these cases, the scan might end with 0 vulnerabilities for this image.
Added support for custom tagging agentless scanners and resources created within your accounts.
You can specify up to ten tags as a part of the advanced agentless configuration. These tags are added to any previously existing resource tags.
Updated the agentless scanning onboarding instructions for AWS and GCP to include setting up agentless using hub and target accounts.
Introduced a new column
Last changed
to API Discovery with the date of the latest change to the API.
The discovered API
Change history
log is shown in the details pane.

Recommended For You