Merge pull request #929 from hlxsites/pascal-update1-pcee

Update to the 33.01 RNs and Sys Req pages
hlxsites · Oct 7, 2024 · d93f343 · d93f343
2 parents 11ed9e0 + f01ffb3
commit d93f343
Show file tree

Hide file tree

Showing 9 changed files with 379 additions and 11 deletions.
diff --git a/docs/en/compute-edition/33/admin-guide/install/system-requirements.adoc b/docs/en/compute-edition/33/admin-guide/install/system-requirements.adoc
@@ -211,11 +211,12 @@ Supported versions are listed in the <<orchestrators,orchestration>> section
 [#podman]
 === Podman
 
-Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
+Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. 
 
-Podman v1.6.4, v3.4.2, v4.0.2 are supported.
+The twistcli tool uses the pre-installed Podman binary to scan CRI images. The supported Podman versions are 1.6.4, 3.4.2, and 4.0.2.
+
+Prisma Cloud also supports deploying Defenders on Podman containers. Podman version 4.9 is the supported version for this feature.
 
-*Note:* Defender installation is not supported on Podman hosts.
 
 [#helm]
 === Helm

diff --git a/docs/en/compute-edition/33/rn/book.yml b/docs/en/compute-edition/33/rn/book.yml
@@ -18,6 +18,8 @@ dir: release-information
 topics:
   - name: Prisma(TM) Cloud Compute Edition Release Information
     file: release-information.adoc
+  - name: 33.01 (Build 33.01.137)
+    file: release-notes-33-01.adoc
   - name: 33.00 (Build 33.00.169)
     file: release-notes-33-00.adoc
   - name: Fixed and Known Issues in 33.xx

diff --git a/docs/en/compute-edition/33/rn/book_point_release.yml b/docs/en/compute-edition/33/rn/book_point_release.yml
@@ -2,7 +2,7 @@
 kind: book
 title: Prisma Cloud Compute Edition Release Notes
 author: Prisma Cloud team
-version: 33.00
+version: 33.01
 ditamap: prisma-cloud-compute-edition-release-notes
 dita: techdocs/en_US/dita/prisma/prisma-cloud/33/prisma-cloud-compute-edition-release-notes
 ---
@@ -12,8 +12,8 @@ dir: release-information
 topics:
   - name: Prisma(TM) Cloud Compute Edition Release Information
     file: release-information.adoc
-  - name: 33.00 (Build 33.00.169)
-    file: release-notes-33-00.adoc
+  - name: 33.01 (Build 33.01.TBD)
+    file: release-notes-33-01.adoc
 ---
 kind: chapter
 name: Get Help

diff --git a/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc b/docs/en/compute-edition/33/rn/release-information/known-issues-33.adoc
@@ -1,6 +1,6 @@
 == Fixed and Known Issues in 33.xx
 
-The following table lists the fixed issues for 33.00 release.
+The following table lists the fixed issues for 33.xx releases.
 
 === Fixed Issues
 
@@ -9,6 +9,66 @@ The following table lists the fixed issues for 33.00 release.
 |*ISSUE ID*
 |*DESCRIPTION*
 
+|*CWP-62084*
+
+tt:[Fixed in 33.01.137]
+
+| *Updating the list of binaries exposed to a vulnerability after rerunning a scan*
+
+Rerunning a scan didn’t update the binary packages exposed to a vulnerability. This issue is fixed now.
+
+|*CWP-61947*
+
+tt:[Fixed in 33.01.137]
+
+| *Boot volume encryption in agentless scanning*
+
+Fixed an issue with the agentless scanner boot volume default encryption.
+
+|*CWP-61606*
+
+tt:[Fixed in 33.01.137]
+
+| *Inclusion of missing host names in CSV files*
+
+Previously, in the Deployed image results under *Monitor > Vulnerabilities > Images > Deployed*, individual host names were not displayed when multiple hosts ran the same image. Only the total number of hosts was shown, and the downloaded CSV did not include the host names.
+
+This issue is resolved. When downloading the CSV, the exported file now lists the names of all hosts running the same image. However, if the total length of the listed host names exceeds 32,757 characters, the list will be truncated, and the number of truncated host names will be indicated in the CSV.
+
+|*CWP-59281*
+
+tt:[Fixed in 33.01.137]
+
+| *Improved vulnerability reporting for Debian images*
+
+When scanning Debian images, Prisma Cloud occasionally missed some CVEs related to specific package versions. This issue is fixed. 
+
+The fix prioritizes CVE matches from the security repository and Prisma Cloud now reports all previously missing CVEs for packages in Debian images.
+
+|*CWP-58952*
+
+tt:[Fixed in 33.01.137]
+
+| *Improved vulnerability detection for multiple Python versions*
+
+In previous versions of Defender, vulnerabilities were only detected and reported for a single Python installation on a host, even if multiple Python versions were installed. This resulted in False Negatives (FN), where vulnerabilities in other Python versions were missed. 
+
+The issue is fixed. Prisma Cloud will now scan and report vulnerabilities for each installed Python version on a host.
+
+
+|*CWP-59654*
+
+tt:[Fixed in 33.01.137]
+
+| *Support for Amazon Linux CVEs*
+
+Previously, Prisma Cloud reported several false positive vulnerabilities for Amazon Linux CVEs that were marked as "not affected" by Amazon.
+
+Prisma Cloud now fully supports CVEs classified as “not affected” by Amazon, improving the accuracy of vulnerability reporting for Amazon products and resolving the false positive issue. The supported Amazon Linux distributions include Amazon Linux, Amazon Linux 2, and Amazon Linux 2023.
+
+NOTE: Prisma Cloud does not support CVEs labeled as "pending fix" or "no fix planned," as Amazon does not provide the required package version details for precise CVE status reporting.
+
+
 |*CWP-61444*
 
 tt:[Fixed in 33.00.169]

diff --git a/docs/en/compute-edition/33/rn/release-information/release-notes-33-01.adoc b/docs/en/compute-edition/33/rn/release-information/release-notes-33-01.adoc
@@ -0,0 +1,160 @@
+:toc: macro
+== 33.01 Release Notes
+
+The following table outlines the release particulars:
+
+[cols="1,4"]
+|===
+|Build
+|33.01.137
+
+|Code name
+|Pascal
+
+|Release date
+|October 06, 2024
+
+|Type
+|Major release
+
+|SHA-256
+|_TBD_
+|===
+
+Review the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/install/system-requirements[system requirements] to learn about the supported operating systems, hypervisors, runtimes, tools, and orchestrators.
+
+// You can download the release image from the Palo Alto Networks Customer Support Portal, or use a program or script (such as curl, wget) to download the release image directly from our CDN:
+
+// https://cdn.twistlock.com/releases/orvGojie/prisma_cloud_compute_edition_33_00_169.tar.gz[https://cdn.twistlock.com/releases/orvGojie/prisma_cloud_compute_edition_33_00_169.tar.gz]
+
+toc::[]
+
+[#upgrade]
+=== Upgrade from Previous Releases
+
+[#upgrade-defender]
+==== Upgrade Defenders
+
+Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[Defender versions supported (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. In addition, starting from release 33.00, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from the n-3 version. So the current release will allow Defenders and REST API calls from release 30.xx also. Failure to upgrade Defenders below version `v30.00`, such as `v22.12`, will result in disconnection of the Defenders from the Console.
+
+However, to maintain full support, you must upgrade your Defenders to `v31.xx` or a higher release.
+
+To summarize, the level of support for the different versions of Defenders is as follows:
+
+* Defender versions 33.xx, 32.xx, and 31.xx have full support
+* Defender versions 30.xx are functional (will be able to connect to version 33.xx Console) but support is not available for such Defenders
+* Defender versions previous to 30.xx, such as 22.12, are neither supported nor functional (cannot connect to version 33.xx Console)
+
+
+[#upgrade-console]
+==== Upgrade the Prisma Cloud Console
+
+Starting with the `v33.00` release, the https://docs.prismacloud.io/en/compute-edition/33/admin-guide/upgrade/support-lifecycle[supported Console versions (n, n-1, and n-2)] are `v33.00`, `v32.00`, and `v31.00` respectively. 
+
+NOTE: Defenders from the n-3 release will remain functional as described above.
+
+You can upgrade the Prisma Cloud console directly from any n-1 version to n. For example, with `v33.00` as n and `v32.00` as n-1, you can upgrade directly from `v32.05.124` to `v33.01.137`.
+
+NOTE: You have to upgrade any version of `v31.00` to `v32.00` before upgrading to `v33.00`. For example, you must upgrade from `v31.02.137` to `v32.07.123` before you upgrade to `v33.01.137`.
+
+
+[#announcement]
+=== Announcement
+
+
+=== Lifecycle Support Update
+
+Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (n-2).
+
+Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto n-3 major releases).
+
+For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases.
+
+//[#cve-coverage-update]
+//=== CVE Coverage Update
+
+[#enhancements]
+=== Enhancements
+
+// CWP-61917
+
+==== Multiple Intelligence Stream (IS) Builders for Compatibility across Console and Defender Versions
+
+Starting from this release, Prisma Cloud will introduce versioning for the Intelligence Stream (IS) to ensure compatibility across different Console and Defender versions.
+
+*Purpose of Intelligence Stream (IS) versioning*
+
+* *Maintain functionality for older Consoles and Defenders:* IS versioning ensures that older Consoles and Defenders continue to operate properly, even if they are unable to support the latest Intelligence feeds (for example, due to changes in external data feed formats).
+* *Reduce disruptions:* Versioning helps minimize disruptions caused by updates, such as changes in downloaded JSON file fields that could impact CVE accuracy or result in duplicate CVEs.
+
+*Impact on Prisma Cloud Customers*
+
+* *Enterprise Edition (SaaS) customers:* These customers always have the latest Console version, so they will not be affected by this change.
+* *Compute Edition (self-hosted) customers:* IS versions will be aligned with specific Console versions. For example, older 31.xx and 32.xx Consoles will be supported by the IS version released for Console 33.00. When customers upgrade to the latest Console version, they will receive the most recent IS updates.
+
+*Vulnerability Reporting Consistency*
+
+* *New Intelligence Stream (IS) logic updates:* These updates will only apply to the latest IS versions.
+* *Vulnerability data:* All IS versions will continue to provide up-to-date vulnerability information, and changes in IS logic or algorithms will not affect the vulnerability metrics and reporting in the Console.
+
+// CWP-61840
+
+==== Podman
+
+Previously, Prisma Cloud supported scanning Podman images in the CI pipeline using _twistcli_. With this release, Prisma Cloud now supports deploying Defenders on Podman containers, providing comprehensive visibility and protection for workloads running in Podman environments.
+
+This enhancement enables full protection for Podman containers, including continuous vulnerability scanning, compliance policy enforcement, and active runtime security monitoring.
+
+To deploy a Linux Container Defender on Podman, navigate to *Manage* > *Defenders* > *Manual Deploy* > *Single Defender*. Select *Container Defender - Linux* as Defender Type. In the *Container Runtime Type* field, select *Podman* (the default is Docker).
+
+If you select Podman, the installation script automatically includes the `--install-podman` argument.
+
+If your Podman environment uses a custom runtime socket path, you can specify it using the `--podman-socket` argument.
+
+For example, to use Podman with a custom runtime socket path, the installation command would be:
+
+`curl -sSL --header "#####<Bearer TOKEN>####" -X POST <TENANT URL>/api/v1/scripts/defender.sh \| sudo bash -s -- -c "stage-consoles-cwp.cloud.twistlock.com" -v --install-podman --podman-socket "<custom_runtime_socket_path>"`
+
+// CWP-61241
+
+==== SHA-256 Checksum for Defender Image Downloads
+
+Prisma Cloud now enables users to validate the integrity of Defender images downloaded from the Console using a SHA-256 checksum, ensuring the downloaded image matches the server version.
+
+To access the feature, do the following:
+
+. In the Console, go to *Manage > System > Utilities*. 
++ 
+The SHA-256 checksum is available next to the downloadable Defender image. 
+
+. Click *Show Checksum* to view the checksum to verify the downloaded image.
+
+This feature ensures that Defender images are secure and protected from tampering.
+
+
+//[#new-features-agentless-security]
+// === New Features in Agentless Security
+
+// [#new-features-core]
+// === New Features in Core
+
+// [#new-features-host-security]
+// === New Features in Host Security
+
+// [#new-features-serverless]
+// === New Features in Serverless
+
+// [#new-features-waas]
+// === New Features in WAAS
+
+// [#api-changes]
+// === API Changes and New APIs
+
+
+// [#addressed-issues]
+// === Addressed Issues
+
+
+// [#deprecation-notices]
+// === Deprecation Notices
+
diff --git a/...e-edition/content-collections/runtime-security/install/system-requirements.adoc b/...e-edition/content-collections/runtime-security/install/system-requirements.adoc
@@ -165,11 +165,11 @@ Supported versions are listed in the <<orchestrators,orchestration>> section
 [#podman]
 === Podman
 
-Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. The twistcli tool can use the preinstalled Podman binary to scan CRI images.
+Podman is a daemon-less container engine for developing, managing, and running OCI containers on Linux. 
 
-Podman v1.6.4, v3.4.2, v4.0.2 are supported.
+The twistcli tool uses the pre-installed Podman binary to scan CRI images. The supported Podman versions are 1.6.4, 3.4.2, and 4.0.2.
 
-*Note:* Defender installation is not supported on Podman hosts.
+Prisma Cloud also supports deploying Defenders on Podman containers. Podman version 4.9 is the supported version for this feature.
 
 [#helm]
 === Helm

diff --git a/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc b/docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc
@@ -378,6 +378,79 @@ CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not direct
 |*ISSUE ID*
 |*DESCRIPTION*
 
+|*CWP-62084*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+| *Updating the list of binaries exposed to a vulnerability after rerunning a scan*
+
+//Fixed an issue, where the scan results displayed in the *Image details* dialog (*Monitor > Vulnerabilities* page, *Images* tab) did not display the binary packages impacted by a vulnerability.
+
+Rerunning a scan didn't update the binary packages exposed to a vulnerability. This issue is fixed now.
+
+|*CWP-61947*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+|*Boot volume encryption in agentless scanning*
+
+Fixed an issue with the agentless scanner boot volume default encryption.
+
+|*CWP-61606*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+|*Inclusion of missing host names in CSV files*
+
+Previously, the Deployed image results under *Monitor > Vulnerabilities > Images > Deployed*, didn't display individual host names when multiple hosts ran the same image. Only the total number of hosts was shown, and the downloaded CSV did not include the host names.
+
+This issue is resolved. The CSV exported file now lists the names of all hosts running the same image. However, if the total length of the listed host names exceeds 32,757 characters, the list is truncated, and the number of truncated host names is indicated in the CSV.
+
+
+|*CWP-59281*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+|*Improved vulnerability reporting for Debian images*
+
+When scanning Debian images, Prisma Cloud occasionally missed some CVEs related to specific package versions. This issue is fixed.
+
+The fix prioritizes CVE matches from the security repository and Prisma Cloud now reports all previously missing CVEs for packages in Debian images.
+
+|*CWP-58952*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+| *Improved vulnerability detection for multiple Python versions*
+
+In previous versions of Defender, vulnerabilities were only detected and reported for a single Python installation on a host, even if multiple Python versions were installed. This resulted in False Negatives (FN), where vulnerabilities in other Python versions were missed.
+
+The issue is fixed. Prisma Cloud will now scan and report vulnerabilities for each installed Python version on a host.
+
+|*CWP-59654*
+
+tt:[Secure the Runtime]
+
+tt:[Fixed in 33.01.137]
+
+| *Support for Amazon Linux CVEs*
+
+Previously, Prisma Cloud reported several false positive vulnerabilities for Amazon Linux CVEs that were marked as "not affected" by Amazon.
+
+Prisma Cloud now fully supports CVEs classified as “not affected” by Amazon, improving the accuracy of vulnerability reporting for Amazon products and resolving the false positive issue. The supported Amazon Linux distributions include Amazon Linux, Amazon Linux 2, and Amazon Linux 2023.
+
+NOTE: Prisma Cloud does not support CVEs labeled as "pending fix" or "no fix planned," as Amazon does not provide the required package version details for precise CVE status reporting.
+
 // CWP-61444
 |tt:[Fixed in 33.00.169]