23.8.8 Release Notes
InsightCloudSec Software Release Notice - 23.8.8 Release
Release Highlights (23.8.8)
InsightCloudSec is pleased to announce Release 23.8.8. This release includes suspicious event support for the AWS events AttachRolePolicy
and AttachUserPolicy
. Azure EDH now supports certificate authentication for processing events from Service Bus Queues. In addition, 23.8.8 includes 15 renamed Query Filters, three new Query Filters, and 16 bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Release Tagging & Hashes
The InsightCloudSec team is expanding our tagging strategy for publishing images. To align ourselves with industry best practices, each new InsightCloudSec build version (starting with this one) will include a hash after the version number (including hot fix versions). This means you can obtain this version of InsightCloudSec using three, separate tags (all versions can be found here):
latest
23.8.8
23.8.8.72eb275d6
Self-Hosted Deployment Updates (23.8.8)
Release availability for self-hosted customers is Thursday, August 10, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
Modules can be updated with the terraform get -update
command.
Features & Enhancements (23.8.8)
- Optimized method used to determine that a data collection is valid to resolve latency issues in the Bot listing endpoint. [ENG-29318]
Resources (23.8.8)
AWS
Added suspicious event support for the AWS events
AttachRolePolicy
andAttachUserPolicy
. Now, if a role or user has a permission added that includes admin access, write access, and/or privilege escalation, we flag the event as suspicious and mark the role or user as having a suspicious event. [ENG-29929]Added support for the relationship between CDNs and load balancers for AWS. [ENG-24578]
AZURE
- Azure EDH now supports certificate authentication for processing events from Service Bus Queues. [ENG-24026]
Query Filters (23.8.8)
GCP
Identity Resource has Attached Policy Granting Privilege Escalation
- New Query Filter identifies Cloud Users or Roles that have an attached Cloud Policy allowing privilege escalation [ENG-24822]
AZURE
OpenAI (Cognitive Services) With/Without Private Endpoint
- New Query Filter identifies Open AI (Cognitive Services) with or without (default) private endpoints. [ENG-29523]OpenAI (Cognitive Services) With/Without Valid Diagnostic Logging Configuration
- New Query Filter identifies Open AI (Cognitive Services) with or without (default) a valid diagnostic logging configuration. [ENG-29523]
MULTI-CLOUD/GENERAL
As part of a periodic refresh of Query Filter names and descriptions, we have updated the following Query Filter names to more accurately and succinctly convey their use case. The Old Name
→ New Name
are as follows:
Compute Instance With Open Management Interface Ports Exposed
-->Instance Exposing Open Management Interface Ports
Database/Big Data/Broker/Stream Security Group Exposing Access
-->Resource Exposing Public Access
Elasticsearch Instance Exposed
-->Elasticsearch Instance Exposed To Public
Instance Adaptive Application Control Policy Allowlist Rules Out Of Date
-->Instance With Out Of Date Adaptive Application Control Policy Allowlist Rules
Instance Leverages Same Security Group As Load Balancer
-->Instance Uses Load Balancer Access List
Instance On Subnet With Default Route to Internet
-->Instance With/Without Default Route To Internet
Instance Private/Public IP Address Search
-->Instance Search By Private/Public IP Address
Instance Security Group Allow List
-->Resource Search By Security Group Allowlist
Instance Security Group Allows Access From Unknown Public IP
-->Resource Exposing Unknown Public IP
Instance Security Group Count
-->Resource By Security Group Count
Instance/Resource Security Group Associations
-->Resource Associated With Access List
Instance Security Group Has Unapproved Networks
-->Resource With Unapproved Network Access List Rule
Resource Is Associated With Public Subnet
-->Resource Associated With Public Subnet
Resource Security Group Associations (Regex)
-->Resource Associated With Access List (Regex)
Resource Security Group Has Public IP Space
-->Resource With Public IP Access List Rule
[ENG-27995]
Bug Fixes (23.8.8)
Added fix to allow harvest to succeed with no certificate create time. [ENG-30187]
Backoffice Insight Database Instance Flag 'local_infile' enabled; backoffice:486 was previously scoped to the incorrect GCP database engine. The scoping has been updated to include the MySQL database engine. [ENG-30166]
Fixed issue with how loadbalancer targets are displayed. [ENG-29426]
We’ve fixed CVEs related to an upgrade to GO version 1.19.10 [ENG-29331]:
- CVE-2023-24539 (High) - https://nvd.nist.gov/vuln/detail/CVE-2023-24539
- CVE-2023-24540 (Critical) - https://nvd.nist.gov/vuln/detail/CVE-2023-24540
- CVE-2023-29400 (High) - https://nvd.nist.gov/vuln/detail/CVE-2023-29400
- CVE-2023-29402 (Critical) - https://nvd.nist.gov/vuln/detail/CVE-2023-29402
- CVE-2023-29403 (High) - https://nvd.nist.gov/vuln/detail/CVE-2023-2940
- CVE-2023-29404 (Critical) - https://nvd.nist.gov/vuln/detail/CVE-2023-29404
- CVE-2023-29405 (Critical) - https://nvd.nist.gov/vuln/detail/CVE-2023-29405
Changed permission count from
NA
to0
when there are 0 Unique Permissions. [ENG-29327]Updated our Oracle Cloud Infrastructure harvester for Instances, Network Interfaces, and Public IPs to isolate harvesting to in-use Availability Domains. Updated our OCI harvester for Shared File Systems to retrieve resources outside of the home region. [ENG-29309]
Fixed a bug involving a processor silently failing. [ENG-29149]
Updated the
minimum_tls_version
property of AWS Database Instances that are members of Database Clusters to use the value of the Database Cluster Parameter Group when the value of the Database Cluster Parameter Group and Database Parameter Group are in conflict. [ENG-28941]Fixed a bug where updating a cloud storage export's in the compliance scorecard name would still show the old name in some places. [ENG-28574]
Fixed a bug where compliance scorecard report card would display incorrect resource counts in page data when an impacted resource was a member of multiple custom resource groups. [ENG-28424]
Updated our Oracle Cloud Infrastructure harvester for Instances, Network Interfaces, and Public IPs to isolate harvesting to in-use Availability Domains. Updated our OCI harvester for Shared File Systems to retrieve resources outside of the home region. [ENG-28192]
Fixed an issue where scoped resource groups would be removed from custom insights when the OrphanedResourceCleanup job ran. [ENG-28026]
Fixed a bug involving Query Filter
**Instance Exposing Public SSH
** not working if there is no NSG attached to Azure VM. Updated a number of Query Filter names and descriptions as part of the fix. [ENG-27995]Fixed an issue where a MessageQueueNamespace harvest would fail if a service bus was deleted during the harvest. [ENG-27666]
Updated public access check on Azure Storage Accounts. [ENG-30247]
Fixed a bug where creating an API-only user with an invalid expiration date for the API Key would create the user but fail to create the Key, instead of failing to create both User and Key. [ENG-16650]
Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial
- Read Only Policy
- Power User Policy
- GovCloud
- Read Only Policy
- Power User Policy
- China
Azure
- Commercial
- GovCloud
GCP
- For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended APIs that is maintained as part of our GCP coverage.
Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.