InsightCloudSec Release Notes / Oct 03, 2023

Oct 03, 2023

23.10.3 Release Notes

InsightCloudSec Software Release Notice - 23.10.3 Release

DivvyCloud Docs Site End-of-Life (EOL) Update

On August 1st, 2023, the InsightCloudSec documentation transitioned to docs.rapid7.com to be with the documentation for the rest of the Rapid7 software portfolio. The old site (docs.divvycloud.com) will continue to exist until a near-future date but will remain static. After this date, any links to the old site will be redirected to their docs.rapid7.com/insightcloudsec/ counterpart, so the old site will functionally not be visible publicly. However, the API reference will still be available until further notice. Visit our Getting Support page for details on contacting support for any questions or issues with the transition.

Release Highlights (23.10.3)

InsightCloudSec is pleased to announce Release 23.10.3. This release includes resolution of CWE-1321 & CVE-2023-26136 vulnerabilities, as well as CWE-78 and CVE-2023-26145 vulnerabilities. This release also includes EDH as an entitlement, support for a new Azure resource (Azure Role Assignment), as well as multiple UI/UX improvements and enhancements.

In addition, 23.10.3 includes one updated Insight, two new Insights, three updated Query Filters, two new Query Filters, and 15 bug fixes.

Self-Hosted Deployment Updates (23.10.3)

Release availability for self-hosted customers is Thursday, October 5, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal. Our latest Terraform template (static files and modules) can be found here. Modules can be updated with the terraform get -update command. The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here):

  1. latest
  2. 23.10.3
  3. 23.10.3.0e7f295c4

Limited Release for 23.10.10

As the next week includes a Federal Holiday, we will not be providing a formal release with release notes for the week of 23.10.10. SaaS or self-hosted customers may have minor bug fixes and we may provide a limited release, but our next full release for both SaaS and self-hosted customers will be on 23.10.17. Reach out to your CSM or InsightCloudSec support with questions or concerns.

Features & Enhancements (23.10.3)

  • Resolved CWE-1321 and CVE-2023-26136 vulnerabilities, which relate to Prototype Pollution. [ENG-31437]

  • Resolved CWE-78 and CVE-2023-26145 vulnerabilities, which relate to Command Injection. [ENG-31845]

  • Added a filter to the Layered Context Resources page to select resources which are either ON or NOT ON any attack paths. [ENG-31289]

  • Updated documentation page with Application endpoint details. [ENG-31193]

  • Event Driven Harvesting is now accessible to basic users with appropriate entitlements. [ENG-30698]

  • Moved configuration settings for Host Vulnerability Assessment to the Vulnerabilities page. Host Vulnerability Assessment scoping is now done via filters. The configuration settings added to the Vulnerabilities page allow:

    • Enabling/disabling of assessment on a per org basis
    • Specifying a filter to determine what hosts should be scanned
    • Display of assessment status, assessment history, and GCP settings [ENG-27902, ENG-28953]

  • Provided for the use of multiple data collections with a query filter. This enhancement affects the Resources, Insights, and Bots pages where query filters are used. [ENG-28839]

  • Added expiration dates for exemption rules. [ENG-30264]

User Interface & User Experience (23.10.3)

  • Provided the ability to toggle between compressed/uncompressed permissions list in the resource panel permissions view for Azure principals. [ENG-29330]

  • Updated AWS Containers Resource on the UI to display status. [ENG-31324]

  • Adding Bulk Update functionality to the Manage Basic User Group Entitlements view. This is a UX enhancement to make updating entitlement easier across multiple namespaces. [ENG-29595]

  • Improved printing of Compliance scorecards in dark mode. Added loading spinner added to print buttons. [ENG-31441]

  • Renamed two APA advanced filter options for naming consistency with the table column in UI:

    • Cloud Account Name -> Target Resource Acct
    • Time Discovered -> Age

    [ENG-31353]

Resources (23.10.3)

AWS

  • Updated the Boto3 library to 1.28.55. [ENG-31808]

  • Added AWS S3 account-wide public access block settings to Source Documents. When the S3_SOURCE_DOCUMENT_STORAGE feature flag is enabled, the account wide PublicAccessBlockConfiguration call source docs will be stored on S3. [ENG-31204]

AZURE

  • Added visibility into Azure Role Assignment (Identity & Management category, new Resource type Cloud Role Assignment). No new permissions are needed for this added visibility. [ENG-31493]

Insights (23.10.3)

AWS

  • Resource In Region Without Account-Wide Access Analyzer Enabled - New Insight identifies resources that are in a region without Access Analyzer service enabled to help identify cross account and public access exposure via IAM policies. [ENG-30527]

ORACLE CLOUD INFRASTRUCTURE

  • Cloud Group Orphaned - Updated Insight to support Oracle Cloud Infrastructure. [ENG-31628]

MULTI-CLOUD/GENERAL

  • Resource with Vulnerability of Any Severity - New Insight identifies resources that have a non-zero count of vulnerabilities. [ENG-21807]

Query Filters (23.10.3)

AWS

  • Resource In Region Without Account-Wide Access Analyzer Enabled - New Query Filter identifies resources that are in a region without Access Analyzer enabled. Please note that resources missing required permissions are excluded for this check. [ENG-30527]

AZURE

  • Storage Account Type - New Query Filter matches storage accounts by their type, e.g., Premium Storage, Standard Storage V2, etc. [ENG-27764]

ORACLE CLOUD INFRASTRUCTURE

  • Cloud Group Orphaned - Updated Query Filter to support Oracle Cloud Infrastructure. [ENG-31628]

  • Cloud Group With Users - Updated Query Filter to support Oracle Cloud Infrastructure. [ENG-31628]

MULTI-CLOUD/GENERAL

  • Resource Vulnerability Count By Severity - Updated Query Filter to add Any option; returns resources of any severity level. [ENG-21807]

Bug Fixes (23.10.3)

  • Fixed an issue where multi-resource harvesters would not trigger Exemption Rules and therefore not create Exemptions. [ENG-31759]

  • Fixed a bug where GCP snapshots created by ICS during Host Vulnerability Assessment were not labeled with creator: insightcloudsec. [ENG-31470]

  • Resolved package vulnerabilities which relate to Regular Expression Denial of Service (ReDoS). [ENG-31424]

  • Added Gov cloud roles for Azure onboarding/scripting. [ENG-31350]

  • Resolved latency issues in the Tag Explorer overview. [ENG-31210]

  • Fixed an issue where Azure Cognitive Services couldn't apply the Query Filters Resource Not In Region or Resource In Region. [ENG-30999]

  • Fixed an issue where AWS host assessments failed if the host's root volume was encrypted with a customer-managed key and the host was deployed in a region other than us-east-1. [ENG-30908]

  • Fixed an edge case around AWS and Azure Organization deleted accounts; added a checkbox to explicitly configure these options to auto-remove deleted accounts and deleted subscriptions, respectively. [ENG-30845]

  • Fixed a bug to allow selection of new AWS region me-central-1 for harvesters in Harvesting Strategy options. [ENG-30765]

  • Fixed a bug to enable editing of exemption rules. [ENG-30697]

  • Fixed issue with Cloud Account With Impaired Visibility Query Filter where accounts with all permissions were showing up in the missing permissions list. [ENG-29950]

  • Fixed a bug where DB connection parameters could be included in the error message when the DB connection is lost. [ENG-29926]

  • Fixed a bug to allow option to "Make this a Public Filter" to render when it should for Saved Filters under certain features (e.g., Attack Paths). [ENG-29411]

  • Changed the GoogleInstanceInterfaceIpHarvester to use a more reliable source to get project information as there is an unspecified delay with updating the commonInstanceMetadata for a project on GCP's side. [ENG-29321]

  • Fixed a bug where the email delegation setting was not updated when adding this to an existing GCP organization. [ENG-28053]

Required Policies & Permissions

Policies required for individual CSPs are as follows:

Alibaba Cloud

AWS

Azure

GCP

Oracle Cloud Infrastructure

Host Vulnerability Management

For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.