InsightCloudSec Release Notes / Apr 16, 2024

Apr 16, 202424.4.16

Release Summary

InsightCloudSec is pleased to announce Release 24.4.16. This release includes two new Kubernetes Insights and improved Container Vulnerability Assessment error reporting.

Details for self-hosted customers
  • Release Availability - Thursday, Apr 18, 2024
  • The latest Terraform template (static files and modules) can be found here. Modules can be updated with the terraform get -update command.
  • Amazon Elastic Container Repository (ECR) Image Tags - The Amazon Web Services (AWS) Elastic Container Repository (ECR) build images for this version of InsightCloudSec can be obtained using the following tags (all versions can be found here):
  • latest
  • 24.4.16
  • 24.4.16.fe37005a2
  • ECR Build ID - fe37005a2a963c827313465982861bd7595ae59b

New

  • Two new Insights have been added:
    • Ensure that Ingress-nginx path type is configured with secure options - Ingress-nginx path sanitization can be bypassed with log_format directive. When pathType is configured as Exact or Prefix, there is more strict validation, allowing only paths starting with "/" and containing only alphanumeric characters and "-", "_" and additional "/". When this option is enabled, the validation happens in the Admission Webhook, denying creation of any Ingress containing invalid characters, these security configuration aren't being applied if pathType is ImplementationSpecific.
    • Enforce Restrictions On The Contents Of Ingress-nginx Annotation Fields - As per CVE-2023-5043 and CVE-2023-5044 - Ingress nginx annotation injection causes arbitrary command execution.

Improved

  • Improved Container Vulnerability Assessment (CVA) error messages for failures that occur when the image is too large. Improves CVA error messages when ICS attempts and fails to scan images from each of multiple locations.
  • Updated our guidance for the minimum Terraform version required to deploy InsightCloudSec.

Fixed

  • Fixed issue of missing gatekeeper constraints in Kubernetes scan report.
  • Resolved an issue with the get_data_collection_value Jinja2 templating method .
  • Fixed issue where AWS Lambda functions would appear as public when their policies allowed public access via their URL even when they didn't have any URL configuration.
  • Fixed the Database Cluster Activity Stream Status to show Stopped” and Stopping' statuses in line with the AWS console.
  • Fixed an issue where the Insight Timeseries job ran too close to midnight, erroneously recording results for the next day, resulting in gaps for the Insight History.