[4.2] Patch - Nov 9, 2021

This document provides an overview of resolved issues and other improvements in the Fortanix Data Security Manager (DSM) 4.2 Patch (4.2.1509) release.

This release is superseded by February 03, 2022, release. 

WARNING
  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.0 before upgrading to version 4.2 Patch (4.2.1509).
NOTE
  • After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1 hour.

1. Bug Fixes

  • Fixed backend panic on calling derive operation in FPE mode. (JIRA: PROD-3815)
  • Fixed databased decode failure in some rare conditions
  • Fixed upgrade failure: kubectl apply: doesn't match $setElementOrder. (JIRA: DEVOPS-1536)
  • Fixed Key Check Value (KCV) computation to avoid GET keys failure. (JIRA: PROD-3586)

2. Improvements

  • Improved the health check API to take the various global queues into account. (JIRA: PROD-3675)
  • Added unique trace-ID for each API to backend logs and in x-request-id response for improved debugging. (JIRA: PROD-3575)
  • Added additional data to metrics API for improved debugging. (JIRA: PROD-3661)
  • Improved debuggability of key-rotation failures in the scheduled-operations job. (JIRA: PROD-3790)
  • Enforce fresh installation on a system without old software. (JIRA: DEVOPS-1867)
  • Handled deploy job failure when Elasticsearch does not have any logs. (JIRA: DEVOPS-1860)

3. Security

* CIS benchmark changes

  • Updated modprobe.d configuration. (JIRA: DEVOPS-1878)
  • Updated to limits configuration. (JIRA: DEVOPS-1887)
  • Updated to motd/issue file permission. (JIRA: DEVOPS-1889)
  • Removed telnet package. (JIRA: DEVOPS-1892)
  • Updated sysctl configuration. (JIRA: DEVOPS-1895)
  • Updated cron file permissions. (JIRA: DEVOPS-1900)
  • Updated sudo configuration. (JIRA: DEVOPS-1901)
  • Provided recommended example ssh The current ssh configuration of the system has not been updated and recommended configuration is saved in the location: /opt/fortanix/sdkms/config/sshd_config.fortanix. (JIRA: DEVOPS-1902)
  • Installed libpam-pwquality package. (JIRA: DEVOPS-1903)
  • Updated Kubernetes configuration file permission. (JIRA: DEVOPS-1907)
  • Updated /home directory permissions. (JIRA: DEVOPS-1908)

4. Known Issues

  • Azure BYOK plugin returns out of memory error in case the key vault has more than a certain number of keys (JIRA: PROD-3568).
  • exclude is not working in proxy config for operations such as attestation (JIRA: PROD-3311).
  • Single node updates can have kube-dns pending POD (JIRA: DEVOPS-1683).
  • AWS KMS groups have a scan limitation: When the AWS KMS region has more than 100 keys, only 100 virtual keys are created during the group scan (JIRA: PROD-3840).

5. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful