diff --git a/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc b/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc index 46b0e5acbe..66a15abaca 100644 --- a/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc +++ b/docs/en/compute-edition/32/rn/release-information/release-notes-32-03.adoc @@ -196,6 +196,10 @@ The ‘packageType’ field is added to the vulnerabilities schema responses. |*Agentless Scanning* |The agentless scanner boot volume now enforces encryption by default. +//CWP-58870 +|*Vulnerability Scan +|Fixed an issue that caused duplicate jar entries with mismatched versions in vulnerability scan reports. + |=== // [#backward-compatibility] diff --git a/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc b/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc index 5adac5845b..a515e29eaf 100644 --- a/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc +++ b/docs/en/compute-edition/32/rn/release-information/release-notes-32-07.adoc @@ -138,6 +138,10 @@ There are no API changes for this release. [cols="1,1"] |=== +//CWP-61752 +|*WAAS Counters Periodically Stop Incrementing and Need Defender Restart* +| The issue related to interruption in the communication between a defender and the console—​that was introduced by the newly introduced fail-safe mechanism aimed to prevent any impact to customer traffic or downtime—​is resolved. The fix requires you to upgrade the Console and the Defenders to version 33.00. + //CWP-61027 |*Reporting All Affected Versions for GO Package CVEs* |For some GO package CVEs, Prisma Cloud did not completely report all the affected versions, particularly when multiple version ranges were involved, resulting in occasional false negatives. diff --git a/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc b/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc deleted file mode 100644 index f319832102..0000000000 --- a/docs/en/compute-edition/33/admin-guide/compliance/oss-license-management.adoc +++ /dev/null @@ -1,66 +0,0 @@ -== OSS license management - -Prisma Cloud can detect licenses for package dependencies in code repositories. -It can scan code repos hosted by service providers (currently GitHub only). -It can also scan build folders constructed by CI build jobs. - -A license policy defines the criticality of a license. -For example, you might specify consider any package with a GPL license as a critical issue. -Depending on your license policy, Prisma Cloud can raise alerts and block builds. - - -[.task] -=== Create a license compliance policy - -Compliance policies consist of one or more rules. - -NOTE: Prisma Cloud ships with a default rule named *Default - alert all components*. -This rule ships with alerts disabled, so the policy is effectively disabled. -As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. -Set a threshold, and declare licenses you consider critical. -Rule order is important, so be sure your custom rule sits above the default rule. - -[.procedure] -. Open Console. - -. Go to *Defend > Compliance > Code repositories*. - -. Choose the target of your policy. -+ -If your policy targets GitHub, go to the *Repositories* tab. -+ -If your policy targets your CI pipeline, go to the *CI* tab. - -. Click *Add rule*. - -. Specify a rule name. - -. In *Scope*, select one or more collections to apply your policy to specific repos. -+ -Use the default *All* collection to apply it to all repos. - -. Set the rule thresholds. - -. Specify the severity of each license of interest. -+ -Each field offers SPDX license identifiers as suggestions. -Pattern-matching expressions are supported (e.g., `GPL-*`). - - -=== Scan with twistcli - -To scan a folder with twistcli, use the following command: - - twistcli coderepo scan [FOLDER_PATH] --details - -Contents of the repo are assessed according to the policy in *Defend > Compliance > Code repositories > CI*. -Scan results are published in *Monitor > Compliance > Code repositories > CI* - -For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy. - - -=== Review scan results. - -Go to *Monitor > Compliance > Code repositories*. -Each row in the results table has a meter which shows the number of compliance issues at each severity level. -Click on a row to drill into the details of the scan report. diff --git a/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc b/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc index e0e5a17c41..bdf900e48e 100644 --- a/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc +++ b/docs/en/compute-edition/33/admin-guide/install/fragments/install-defender-twistcli-export-kubectl.adoc @@ -73,9 +73,9 @@ $ ./twistcli defender export kubernetes \ * specifies the address Defender uses to connect to Prisma Cloud Console. You can use the external IP address exposed by your load balancer or the DNS name that you manually set up. * Once you run the given command, after altering the fields for your environment, you will get a prompt requesting a password. The password is the secret key of the Prisma Cloud user with the System Admin role that you should have created as part of the prerequisite. -+ -[NOTE] -==== + +Note: + * For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider. * To override the cluster name used that your cloud provider has, use the `--cluster` option. @@ -87,7 +87,8 @@ $ ./twistcli defender export kubernetes \ * When using an AWS Bottlerocket-based EKS cluster, pass the `--container-runtime crio` flag when creating the `YAML` file. * To use Defenders in *GKE on ARM*, you must https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm[prepare your workloads]. -==== + +* For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. . Deploy the Defender `DaemonSet` custom resource. + diff --git a/docs/en/compute-edition/33/rn/book.yml b/docs/en/compute-edition/33/rn/book.yml index dd489ba5c8..517d968f04 100644 --- a/docs/en/compute-edition/33/rn/book.yml +++ b/docs/en/compute-edition/33/rn/book.yml @@ -18,6 +18,8 @@ dir: release-information topics: - name: Prisma(TM) Cloud Compute Edition Release Information file: release-information.adoc + - name: 33.03 (Build 33.03.138) + file: release-notes-33-03.adoc - name: 33.02 (Build 33.02.134) file: release-notes-33-02.adoc - name: 33.01 (Build 33.01.137) diff --git a/docs/en/compute-edition/33/rn/book_point_release.yml b/docs/en/compute-edition/33/rn/book_point_release.yml index 8bab5af687..987b9a740c 100644 --- a/docs/en/compute-edition/33/rn/book_point_release.yml +++ b/docs/en/compute-edition/33/rn/book_point_release.yml @@ -2,7 +2,7 @@ kind: book title: Prisma Cloud Compute Edition Release Notes author: Prisma Cloud team -version: 33.02 +version: 33.03 ditamap: prisma-cloud-compute-edition-release-notes dita: techdocs/en_US/dita/prisma/prisma-cloud/33/prisma-cloud-compute-edition-release-notes --- @@ -12,8 +12,8 @@ dir: release-information topics: - name: Prisma(TM) Cloud Compute Edition Release Information file: release-information.adoc - - name: 33.02 (Build 33.02.130) - file: release-notes-33-02.adoc + - name: 33.03 (Build 33.03.TBD) + file: release-notes-33-03.adoc --- kind: chapter name: Get Help diff --git a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc index 31a19125c7..11a57029aa 100644 --- a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc +++ b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc @@ -9,6 +9,16 @@ The following table lists the fixed issues for 33.xx releases. |*ISSUE ID* |*DESCRIPTION* +|*CWP-62576* + +tt:[Fixed in 33.03.138] + +| *Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed* + +When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned. + +This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed. + |*CWP-62313* tt:[Fixed in 33.02.130] @@ -301,6 +311,29 @@ The following table lists the known issues for 33.00 release. // In Prisma Cloud Compute Edition instances that have the Clustered DB mode enabled for the Console, the Console fails to start after upgrading to release 32.06. +|*CWP-59515* + +|*K8s Defender Crash Loop on RKE2* + +The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. + +// |*CWP-62358* + +// |*Incorrect Version Detection for Go Binaries with Missing Dependencies* + +//When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. + + +//PCSUP-25103 +|*CWP-62297* + +|*Twistlock console unable to list image tags from remote repo* + +If defender and remote repository are in different subnet, the image tag pulling using `podman search --list -tags` is not supported with the same access token issued by registry.twistlock.com. + + //PCSUP-23081 |*CWP-59435* diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc new file mode 100644 index 0000000000..ab082bf154 --- /dev/null +++ b/docs/en/compute-edition/33/rn/release-information/release-notes-33-03.adoc @@ -0,0 +1,182 @@ +:toc: macro +== 33.03 Release Notes + +The following table outlines the release particulars: + +[cols="1,4"] +|=== +|Build +|33.03.138 + +|Code name +|Pascal Update 3 + +|Release date +|January 05, 2024 + +|Type +|Minor release + +|SHA-256 +|a071ad84ace670a9f4ee37fc3e2f44f270527d4671ebc8e3dc448a6d50282d3d +|=== + +Review the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/install/system-requirements[system requirements] to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators. + +You can download the release image from the Palo Alto Networks Customer Support Portal, or use a program or script (such as curl, wget) to download the release image directly from our CDN: + + +//https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz[https://cdn.twistlock.com/releases/RhRanogV/prisma_cloud_compute_edition_33_02_134.tar.gz] + +toc::[] + +=== Lifecycle Support Update + +Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (n-2). + +Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto n-3 major releases). + +For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases. + +[#upgrade] +=== Upgrade from Previous Releases + +[#upgrade-defender] +==== Upgrade Defenders + +Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[Defender versions supported (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. In addition, starting from release 33.00, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from the n-3 version. So the current release will allow Defenders and REST API calls from release 30.xx also. Failure to upgrade Defenders below version `v30.00`, such as `v22.12`, will result in disconnection of the Defenders from the Console. + +However, to maintain full support, you must upgrade your Defenders to `v31.xx` or a higher release. + +To summarize, the level of support for the different versions of Defenders is as follows: + +* Defender versions 33.xx, 32.xx, and 31.xx have full support +* Defender versions 30.xx are functional (will be able to connect to version 33.xx Console) but support is not available for such Defenders +* Defender versions previous to 30.xx, such as 22.12, are neither supported nor functional (cannot connect to version 33.xx Console) + + +[#upgrade-console] +==== Upgrade the Prisma Cloud Console + +Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[supported Console versions (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. + +NOTE: Defenders from the n-3 release will remain functional as described above. + +You can upgrade the Prisma Cloud console directly from any n-1 version to n. For example, with `v33.00` as n and `v32.00` as n-1, you can upgrade directly from `v32.05.124` to `v33.01.137`. + +NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading to `v33.00`. For example, you must upgrade from `v31.02.137` to `v32.07.123` before you upgrade to `v33.01.137`. + + + + + +//[#cve-coverage-update] +//=== CVE Coverage Update + +//[#announcement] +//=== Announcement + + +[#enhancements] +=== Enhancements +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* + +|Enhancement to Prevent Action with `fsmon_v2` +//CWP-62711 + +|To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance. + +While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. + +This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it. + +|"last-connected" Field Added to Defender Stats Logs +//CWP-62666 + +|A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history. +|=== + +[#intelligence-stream-updates] +=== Intelligence Stream Updates +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* +|Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 +//CWP-30827 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. + +*What are RPM Modules and Streams?* + +In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. + +Modules are structured in the following way: + +* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. + +* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. + +For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. + +*Enhancements to Vulnerability Reporting* + +* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. + +* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. + + +*Benefits of Module-Aware Vulnerability Reporting* + +* *Improved Accuracy*: Matches CVE fixes to the correct module stream. +* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. +* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. + +|Enhanced Vulnerability Reporting for NuGet Packages +//CWP-49786 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. + +With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. + +*NOTE*: + +* This enhancement requires upgrading Defenders to the latest version. + +* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. + +* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. + +|=== + + +//[#new-features-agentless-security] +// === New Features in Agentless Security + +// [#new-features-core] +// === New Features in Core + +// [#new-features-host-security] +// === New Features in Host Security + +// [#new-features-serverless] +// === New Features in Serverless + +// [#new-features-waas] +// === New Features in WAAS + +// [#api-changes] +// === API Changes and New APIs + +// [#deprecation-notices] +// === Deprecation Notices + diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc deleted file mode 100644 index c25c3c2c9a..0000000000 --- a/docs/en/enterprise-edition/content-collections/runtime-security/compliance/operations/oss-license-management.adoc +++ /dev/null @@ -1,66 +0,0 @@ -[#oss-license-management] -== OSS License Management - -Prisma Cloud can detect licenses for package dependencies in code repositories. -It can scan code repos hosted by service providers (currently GitHub only). -It can also scan build folders constructed by CI build jobs. - -A license policy defines the criticality of a license. -For example, you might specify consider any package with a GPL license as a critical issue. -Depending on your license policy, Prisma Cloud can raise alerts and block builds. - -[.task] -=== Create a license compliance policy - -Compliance policies consist of one or more rules. - -NOTE: Prisma Cloud ships with a default rule named *Default - alert all components*. -This rule ships with alerts disabled, so the policy is effectively disabled. -As a starting point, consider cloning this rule, and reconfiguring it for your own purposes. -Set a threshold, and declare licenses you consider critical. -Rule order is important, so be sure your custom rule sits above the default rule. - -[.procedure] -. Open Console. - -. Go to *Defend > Compliance > Code repositories*. - -. Choose the target of your policy. -+ -If your policy targets GitHub, go to the *Repositories* tab. -+ -If your policy targets your CI pipeline, go to the *CI* tab. - -. Click *Add rule*. - -. Specify a rule name. - -. In *Scope*, select one or more collections to apply your policy to specific repos. -+ -Use the default *All* collection to apply it to all repos. - -. Set the rule thresholds. - -. Specify the severity of each license of interest. -+ -Each field offers SPDX license identifiers as suggestions. -Pattern-matching expressions are supported (e.g., `GPL-*`). - - -=== Scan with twistcli - -To scan a folder with twistcli, use the following command: - - twistcli coderepo scan [FOLDER_PATH] --details - -Contents of the repo are assessed according to the policy in *Defend > Compliance > Code repositories > CI*. -Scan results are published in *Monitor > Compliance > Code repositories > CI* - -For CI only, a status column indicates if twistcli passed or failed the build according to the defined policy. - - -=== Review scan results. - -Go to *Monitor > Compliance > Code repositories*. -Each row in the results table has a meter which shows the number of compliance issues at each severity level. -Click on a row to drill into the details of the scan report. diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc index f65a9ef33c..8255f6ed08 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/install/fragments/install-defender-twistcli-export-kubectl.adoc @@ -70,8 +70,7 @@ $ ./twistcli defender export kubernetes \ * Once you run the given command, after altering the fields for your environment, you will get a prompt requesting a password. The password is the secret key of the Prisma Cloud user with the System Admin role that you should have created as part of the prerequisite. + -[NOTE] -==== +Note: * For provider managed clusters, Prisma Cloud automatically gets the cluster name from your cloud provider. * To override the cluster name used that your cloud provider has, use the `--cluster` option. @@ -83,7 +82,9 @@ $ ./twistcli defender export kubernetes \ * When using an AWS Bottlerocket-based EKS cluster, pass the `--container-runtime crio` flag when creating the `YAML` file. * To use Defenders in *GKE on ARM*, you must https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm[prepare your workloads]. -==== + +* For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. + . Deploy the Defender `DaemonSet` custom resource. + diff --git a/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc b/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc index 2fe4c7192a..d630ff9e40 100644 --- a/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc +++ b/docs/en/enterprise-edition/content-collections/runtime-security/vulnerability-management/registry-scanning/configure-registry-scanning.adoc @@ -108,7 +108,7 @@ At a high level, Defenders scan your registries following these steps. //. Scan registry settings one by one in sequential order. . Scan multiple registries in parallel, the default value is set to scan 4 registries at a time. -. There can be up to 9 registry scanning requests in the queue at a time. +. There can be up to 9 registry scanning requests in the queue at a time. Contact the Palo Alto Network Customer Support or your Customer Success Team to configure the default registry scan limit on your SaaS console. . Discover the repositories based on your registry configuration. . Discover the images using tags within each configured repository. . Scan the discovered images. diff --git a/docs/en/enterprise-edition/rn/book.yml b/docs/en/enterprise-edition/rn/book.yml index cc4c294f88..e9434bf59a 100644 --- a/docs/en/enterprise-edition/rn/book.yml +++ b/docs/en/enterprise-edition/rn/book.yml @@ -17,6 +17,13 @@ dir: prisma-cloud-release-info topics: - name: Prisma® Cloud Release Information file: prisma-cloud-release-info.adoc + - name: Features Introduced in 2025 + dir: features-introduced-in-2025 + topics: + - name: Features Introduced in 2025 + file: features-introduced-in-2025.adoc + - name: Features Introduced in January 2024 + file: features-introduced-in-january-2024.adoc - name: Features Introduced in 2024 dir: features-introduced-in-2024 topics: diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc index 91b59aaffc..ccaf3c63b6 100644 --- a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc +++ b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc @@ -26,11 +26,19 @@ The list of fixed issues are not cumulative; only the issues that are fixed with //On *Inventory > Assets*, if you filter based on the _Key-Value_ *Asset Tag* and your environment has more that 1 million assets, the results will be inconclusive. //Contact your Prisma Cloud Customer Success representative for more details. -|*RLP-152525* +|*CWP-59515* -|The resource URL on the *Alerts Overview* page is generated by evaluating the resource metadata present in the alert. In some cases, some of the resource metadata is not available to Prisma Cloud and hence the generated URL may be incorrect. +|*K8s Defender Crash Loop on RKE2* -//*Impact*: +The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options. + +*Workaround*: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only. + +// |*CWP-62358* + +// |*Incorrect Version Detection for Go Binaries with Missing Dependencies* + +//When a Go binary has no listed dependencies in its build information (verified using `go version -m `), the version of its external dependencies is used to identify the version of the Go binary. This could result in incorrect vulnerability data. |*RLP-153383* @@ -82,7 +90,6 @@ Custom roles cannot be configured to include these permissions, as Google Cloud If the Viewer role or domain related built in role is not configured, the API ingestion will fail, and `'Missing Permissions'` warning for the above permissions will not be displayed on the account status page. - |*RLP-146718* //Added on 8/14/2024 after 24.8.1 @@ -397,6 +404,11 @@ CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not direct |*CWP-52710* |While upgrading consoles from the 30.03 release to a 32.xx release, the error log `failed to retrieve "size" specification option value` during the migration doesn't impact the migration process and can be ignored. +//PCSUP-25103 +|*CWP-62297* +|*Twistlock console unable to list image tags from remote repo* +If defender and remote repository are in different subnet, the image tag pulling using `podman search --list -tags` is not supported with the same access token issued by registry.twistlock.com. + // CWP-61287 -- Issue fixed // |*CWP-61287* @@ -417,6 +429,16 @@ CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not direct |*ISSUE ID* |*DESCRIPTION* +|*CWP-62576* + +tt:[Fixed in 33.03.138] + +|*Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed* + +When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned. + +This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed. + |*CWP-62313* tt:[Fixed in 33.02.134] diff --git a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc index e43014a9a9..54807f9f7f 100644 --- a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc +++ b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc @@ -1,18 +1,17 @@ == Look Ahead—Planned Updates to Secure the Runtime -//Currently, there are no previews or announcements for updates. +Currently, there are no previews or announcements for updates. -The following sections provide a preview of the planned updates for the `v33.03` release of Runtime Security. +//The following sections provide a preview of the planned updates for the `v33.03` release of Runtime Security. -*NOTE*: +//*NOTE*: -The details and functionality listed below provide a preview of what is planned for the `v33.03` release. Both the updates and their actual release dates are subject to potential changes. +//The details and functionality listed below provide a preview of what is planned for the `v33.03` release. Both the updates and their actual release dates are subject to potential changes. //*<> //*<> //*<> - //* <> //* <> //* <> @@ -21,48 +20,4 @@ The details and functionality listed below provide a preview of what is planned //* <> //* <> -=== Intelligence Stream Updates - -==== Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 -//CWP-30827 -To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. - -*What are RPM Modules and Streams?* - -In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. - -Modules are structured in the following way: - -* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. - -* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. - -For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. - -*Enhancements to Vulnerability Reporting* - -* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. - -* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. - - -*Benefits of Module-Aware Vulnerability Reporting* - -* *Improved Accuracy*: Matches CVE fixes to the correct module stream. -* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. -* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. - -==== Enhanced Vulnerability Reporting for NuGet Packages -//CWP-49786 -Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. - -With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. - - -*NOTE*: - -* This enhancement requires upgrading Defenders to the latest version. - -* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. -* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. \ No newline at end of file diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc new file mode 100644 index 0000000000..b8b3181324 --- /dev/null +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-january-2025.adoc @@ -0,0 +1,155 @@ +== Features Introduced in January 2025 + +Learn what's new on Prisma® Cloud in January 2025. + +* <> +* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> +//* <> + +//[#announcement] +//=== Announcement + +//[cols="50%a,50%a"] +//|=== +//|*Feature* +//|*Description* +//|=== + +[#enhancements] +=== Enhancements +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* + +|Enhancement to Prevent Action with `fsmon_v2` +//CWP-62711 + +tt:[Secure the Runtime] + +tt:[33.03.138] + +|To improve the handling of file system events for Prevent Action in the Runtime Policy, a new version `fsmon_v2` has been developed. `fsmon_v2` manages event timeouts in an efficient way and ensures independent handling of each event, thus reducing bottlenecks and improving overall performance. + +While `fsmon_v2` brings significant improvements, it is still under active development, and further enhancements are planned. Currently, `fsmon_v2` is being rolled out gradually. + +This feature is disabled by default. Customers who want to activate this feature should submit a ticket requesting engineering to enable it. + +|"last-connected" Field Added to Defender Stats Logs +//CWP-62666 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|A new field, last-connected, has been added to each Defender stats log. This field records the last confirmed connection time between the Defender and the Console, even when the Connected flag is set to false. The timestamp is represented in epoch seconds (UTC), providing customers with a reliable way to track connection history. +|=== + +[#intelligence-stream-updates] +=== Intelligence Stream Updates +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* +|Enhancements to Vulnerability Reporting for Red Hat Enterprise Linux (RHEL) Versions 8 and 9 +//CWP-30827 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|To ensure accurate vulnerability reporting, Intelligence Stream will include RPM module and stream information for RHEL in the reports. This approach improves detection of vulnerabilities and ensures that all associated RPM packages installed by a module are examined during the scan. + +*What are RPM Modules and Streams?* + +In Red Hat Enterprise Linux (RHEL), an RPM module is a collection of related RPM packages that represent a software component, such as an application, its dependencies, and helper utilities. Starting with RHEL 6 and 7, modules replaced the Software Collections mechanism. + +Modules are structured in the following way: + +* *Module Streams*: Virtual repositories within the AppStream repository. Each stream corresponds to a specific version of the module and receives independent updates. + +* *Stream Activation*: At any time, only one stream of a module can be active, meaning only one version of a component can be installed on a system. + +For example, the notation `python39:3.9/python39` indicates the module `python39`, the stream `3.9`, and the source package `python39`. + +*Enhancements to Vulnerability Reporting* + +* *Module-Based Vulnerability Identification*: Scans will report vulnerabilities based on the module and stream configuration. This ensures accurate detection and avoids false positives or false negatives caused by discrepancies in versioning or backported fixes. + +* *Inclusion of RPM Module Metadata in Scan Results*: The enhanced implementation associates RPM packages with their respective modules and streams. The Prisma Cloud console will include this module information in vulnerability scan results. + + +*Benefits of Module-Aware Vulnerability Reporting* + +* *Improved Accuracy*: Matches CVE fixes to the correct module stream. +* *Reduced False Positives*: Avoids misreporting of vulnerabilities fixed in older streams. +* *Comprehensive Coverage*: Links all RPM packages installed by a module to its vulnerabilities. + +|Enhanced Vulnerability Reporting for NuGet Packages +//CWP-49786 + +tt:[Secure the Runtime] + +tt:[33.03.138] +|Previously, the scanning process included NuGet packages listed in the `.deps.json` files, which were essential for the runtime environment but not related to the application itself. These unrelated packages result in false positives in vulnerability reporting. + +With this enhancement, the scanning process excludes runtime-specific dependencies that are not directly related to the application. This provides a more accurate view of vulnerabilities directly associated with the application, and reduces false positive alerts. + +*NOTE*: + +* This enhancement requires upgrading Defenders to the latest version. + +* The updated Defender accurately identifies package dependencies, which leads to fewer false positives. + +* Older Defender versions will remain unaffected by this change, and their behavior remains unchanged. + +|=== + +//[#new-features] +//=== New Features + +//[cols="50%a,50%a"] +//|=== +//|*Feature* +//|*Description* + +//|=== + +//[#policy-updates] +//=== Policy Updates + +//[cols="50%a,50%a"] +//|=== +//|*Policy Updates* +//|*Description* + +//|=== + + +//[#new-compliance-benchmarks-and-updates] +//=== New Compliance Benchmarks and Updates + +//[cols="50%a,50%a"] +//|=== +//|*Compliance Benchmark* +//|*Description* + +//|=== + +//[#rest-api-updates] +//=== REST API Updates + +//[cols="37%a,63%a"] +//|=== +//|*Change* +//|*Description* + + +//|=== diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc index e0fd6b10cc..4bdbcfb6ee 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc @@ -7,16 +7,16 @@ Prisma Cloud is your code to cloud security platform that provides security at a //Prisma Cloud monitors your resources deployed on the Public cloud environments—AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Alibaba Cloud—for cloud security and compliance risks. As the service automatically discovers new resources that are deployed in your cloud environment, it enables you to implement policy guardrails to ensure resource configurations adhere to industry standards and integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues. This capability streamlines the process of identifying issues, detecting and responding to a list of prioritized risks to maintain an agile development process and operational efficiency. //Prisma Cloud Application Security identifies vulnerabilities, misconfigurations and compliance violations in Infrastructure as Code ( IaC) templates, container images and git repositories. -The current release for Prisma Cloud Security Platform is 24.12.1. +The current release for Prisma Cloud Security Platform is 25.1.1. -If you are using Runtime Security, the current version is 32.06. +If you are using Runtime Security, the current version is 33.03. //It will be upgraded to 32.00.xxx on >>>, 2023. To view the current operational status of Palo Alto Networks cloud services, see https://status.paloaltonetworks.com/[https://status.paloaltonetworks.com/]. Before you begin using Prisma Cloud, make sure you review the following information: -* xref:../prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc[Features Introduced in 2024] +* xref:../prisma-cloud-release-info/features-introduced-in-2025/features-introduced-in-2025.adoc[Features Introduced in 2025] * xref:../prisma-cloud-release-info/classic-releases/classic-releases.adoc[Classic Releases] * xref:../limited-ga-features-prisma-cloud/limited-ga-features-prisma-cloud.adoc[Limited GA Features] * xref:../look-ahead-planned-updates-prisma-cloud/look-ahead-planned-updates-prisma-cloud.adoc[Look Ahead—Planned Updates on Prisma Cloud]