Merge pull request #857 from hlxsites/runtime-pascal-33-0-LA

Pascal 33.00 LA

docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-runtime.adoc

@@ -6,26 +6,27 @@
 
 //The following text is a revert to the old content.
 
-Read this section to learn about what is planned in the upcoming `33.00` release on the Runtime Security of the Prisma Cloud console for WAAS, Host Security, Serverless Security, and Container Security.
+Read this section to learn about what is planned in the upcoming `33.00` release of the Runtime Security features for WAAS, Host Security, Serverless Security, and Container Security.
 
-// The Look Ahead announcements are for an upcoming release and it is not a cumulative list of all announcements.
+The Look Ahead announcements are for an upcoming release and are not a cumulative list of all announcements.
 
 //Currently, there are no previews or announcements for updates.
 
-// [NOTE]
-// ====
-// The details and functionality listed below are a preview of what is planned for the `v32.07` release; the changes listed herein and the actual release date, are subject to change.
-// ====
+[NOTE]
+====
+The details and functionality listed below are a preview of what is planned for the `v33.00` release; the changes listed herein and the actual release date are subject to change.
+====
 
 
 // // * <<defender-upgrade>>
 // // * <<new-ips-for-runtime>>
 // //* <<announcement>>
-// * <<enhancements>>
-// //* <<api-changes>>
+* <<upcoming-major-change>>
+* <<enhancements>>
+* <<api-changes>>
 // // * <<deprecation-notices>>
 // // * <<eos-notices>>
-// // * <<addressed-issues>>
+* <<addressed-issues>>
 
 
 // // [#new-ips-for-runtime]
@@ -40,7 +41,10 @@ Read this section to learn about what is planned in the upcoming `33.00` release
 
 //[#announcement]
 //=== Announcements
-=== Upcoming Transition from OVAL to VEX Format for Red Hat Security Data
+
+[#upcoming-major-change]
+=== Upcoming Major Change
+==== Transition from OVAL to VEX Format for Red Hat Security Data
 
 Prisma Cloud is transitioning from the OVAL format to the new VEX format that Red Hat has introduced and adopted for reporting security data and vulnerabilities in Red Hat artifacts.
 
@@ -49,47 +53,43 @@ Prisma Cloud is transitioning from the OVAL format to the new VEX format that Re
 * *Comparison Between OVAL and VEX Formats*: With the OVAL format, Prisma Cloud reports vulnerabilities for each binary found during the scan. However, with the new VEX format, Prisma Cloud will report one vulnerability for the source package and provide information on related binaries.
 + 
 This means that the number of vulnerabilities with the same CVE ID will be reduced, as Prisma Cloud will report one vulnerability for the RPM package instead of multiple reports for each binary.
-* *Continued Support*: Prisma Cloud will continue to support OVAL format for two major versions—v33.xx and v34.xx—to maintain compatibility with Defenders in the pre-33.xx releases, as long as Red Hat continues to produce OVAL files.
-* *Console Loading Time in 33.xx release*: For new Consoles paired with new Defenders, the Console loading time after a restart event will be approximately 1-2 minutes.
-* *Console Memory Usage in 33.XX release*: For on-premise users upgrading to the latest Console, the Console memory requirement is 8GB. This requirement is only for self-hosted editions.
+* *Continued Support*: Prisma Cloud will continue to support OVAL format for two major versions—v33.xx and v34.xx—to maintain compatibility with Defenders in pre-33.xx releases, as long as Red Hat continues to produce OVAL files.
+* *Expected Console Loading Time in the 33.xx release*: For new Consoles paired with new Defenders, the Console loading time after a restart event will be approximately 1-2 minutes.
+* *Console Memory Usage in the 33.XX release*: For on-premise users upgrading to the latest Console, the Console memory requirement is 8 GB. This requirement is only for the self-hosted editions.
 
-A more detailed explanation of this transition is available in the accompanying PDF document: link:https://tinyurl.com/49tfajn3[*Transition from Oval to VEX Files*].
+For a more detailed explanation of this transition, see the link:https://tinyurl.com/49tfajn3[*Transition from Oval to VEX Files*] document.
 
-If you have any concerns or need more information about this transition, please contact [email protected].
+If you have any concerns or need additional information about this transition, contact [email protected].
 
-// [cols="30%a,70%a"]
-// |===
-// |*Change in Release Date*
-// |Release 32.07 is now scheduled for 21-July-2024.
-
-// |*Descoped: Support for Red Hat’s VEX format*
-// |The support for Red Hat’s VEX format is rescheduled. It will now be included in the next major release, version 33.00.
+[#enhancements]
+=== Enhancements
 
-// |===
+// The following enhancements are planned. The details will be available at release:
 
-// [#enhancements]
-// === Enhancements
+[cols="30%a,70%a"]
+|===
+|*Feature*
+|*Description*
 
-// The following enhancements are planned. The details will be available at release:
+// CWP-59339
 
-// [cols="30%a,70%a"]
-// |===
-// |*Feature*
-// |*Description*
+|*Enhancement to WAAS Agentless Support*
 
-// // https://redlock.atlassian.net/browse/CWP-59772
+|In the upcoming release, WAAS agentless rules will support traffic inspection for AWS Application Load Balancers (ALBs) in addition to AWS EC2 instances. 
 
-// |*Enhancement to Photon OS and Amazon Linux OS Feeds*
+You can view the scan results in the Prisma Cloud console to monitor and manage your ALB traffic inspection. Ensure your AWS account is onboarded to the Prisma Cloud console and then configure the ALB rule. 
 
-// |Prisma Cloud now parses Photon OS and Amazon Linux OS feeds using CVE IDs as the primary vulnerability identifier instead of advisory IDs. This change enhances Prisma Cloud’s ability to correlate third-party data, and use vendor-provided information, including backports, severity assessments, and vulnerability scores.
+*NOTE*: This feature is enabled on request. Contact your Account team for more information.
 
-// // https://redlock.atlassian.net/browse/CWP-57626
+//CWP-61282
+|*Lifecycle Support Update*
 
-// |*Support for Azure Container Registry and VM image scanning*
+|Prisma Cloud guarantees backward compatibility with the last two major releases prior to the current version (N-2).
 
-// |Prisma Cloud now supports scanning Azure Container Registry (ACR) and Virtual Machine (VM) images for Azure cloud accounts that are onboarded directly through the platform.
+Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls with the last three major releases prior to the current version.
 
-// |===
+For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed, while also providing complete backward compatibility support for the 32.xx and 31.xx releases.
+|===
 
 // [#deprecation-notices]
 // === Deprecation Notices
@@ -98,56 +98,97 @@ If you have any concerns or need more information about this transition, please
 
 // |===
 
-//[#api-changes]
-//=== API Changes
+[#api-changes]
+=== API Changes
 
-//[cols="30%a,70%a"]
-//|===
-//|*Change*
-//|*Description*
+[cols="30%a,70%a"]
+|===
+|*Change*
+|*Description*
 
-// https://redlock.atlassian.net/browse/CWP-57289
+//CWP-59340
 
-//|*Remove hostname from registry progress response*
+|*WAAS Agentless - Support AWS LB*
 
-//|The response of the https://pan.dev/prisma-cloud/api/cwpp/get-registry-progress/[View Registry Scan Progress] API has the following changes:
+|The link:https://pan.dev/prisma-cloud/api/cwpp/put-policies-firewall-app-agentless/[Set Agentless App Firewall Policy API] request will have the following changes:
 
-//    * A new `specScanStartTime` field is added
+* The existing `trafficMirroring > vpcConfig` property will be modified to include three new fields:
 
-//   * The existing `discovery` and `imageScan` properties have been modified to:
+** lbARN - ARN of the observed load balancer.
+** lbName - Load balancer name.
+** lbType - Load balancer type.
 
-//            ** Include a new `type` field
++
 
-//            ** Remove the `hostname` and `scanTime` fields
+*NOTE*: The above-listed fields will be applicable only to ALB load balancers.
 
-// https://redlock.atlassian.net/browse/CWP-58306
+* The following existing fields will be applicable as described below:
+** instanceNames -  used only in EC2 rules.
+** subnetID - used only in EC2 rules.
+** tags - used only in EC2 rules.
+** vpcID - must be left empty ("") for ALB rules
+** autoScalingEnabled - must be true for ALB rules.
 
-//|*Component documentation for API address resolving method for cluster name*
+|===
 
-//|A new optional field `clusterNameResolvingMethod` will be added to the following APIs:
+[#addressed-issues]
+=== Addressed Issues
 
-//* https://pan.dev/compute/api/post-defenders-daemonset-yaml/[Generate Daemonset Deployment YAML File]
+[cols="30%a,70%a"]
 
-//* https://pan.dev/compute/api/post-defenders-helm-twistlock-defender-helm-tar-gz/[Generate a Helm Deployment Chart for Defender]
+|===
+//CWP-60486
 
-//The permissible values for this field are `default`, `manual`, or `api-server` to support various offerings to resolve K8s Cluster names.  
+|*MongoDB Upgrade to Version 6.0.16*
 
-//|===
+|The MongoDB package is successfully upgraded to version 6.0.16 in the upcoming release.
 
-// [#eos-notices]
-// === End of Support Notices
-// |===
+As a result, the console deployed image will no longer be vulnerable to CVE-2024-6375, and will no longer be present on the ignore list.
 
-// |===
+//CWP-61444
+
+|*Enhancements in Amazon Linux CVE Reporting*
+
+|Vulnerability information for many Amazon Linux CVEs lacked consistency across different Intelligence Stream updates, with differences existing in severity levels and fixed status versions.
+
+The upcoming release includes the following key improvements to address this issue: 
 
+* Increased consistency in scans
+* Improved handling of duplicate CVEs
+* Accurate conversion of Amazon Linux Security Advisories (ALAS) to CVEs 
+* Refined kernel package rules
 
-// [#addressed-issues]
-// === Addressed Issues
+These changes will ensure consistent, reliable, and actionable vulnerability information for all Amazon distributions.
 
-//[cols="30%a,70%a"]
+
+//CWP-58814
+
+|*Java Versions Standardized to 1.x Format*
+
+|Inconsistent version numbering for Java products has led to several false positives in Prisma Cloud security scans. 
+
+To ensure accurate mapping of vulnerabilities to Java versions, all Java product versions will be normalized to the Standard 1.x format. 
+For example, for link:https://nvd.nist.gov/vuln/detail/CVE-2023-21930[CVE-2023-21930] on the National Vulnerability Database (NVD), OpenJDK 8 will map to Java 1.8.
+
+
+//CWP-58355
+|*Minor Versions Included for Alpine CVEs*
+
+|Alpine's security database shows vulnerabilities for each Alpine package, including fixed versions and associated CVEs. 
+
+However, when a CVE does not include a fixed version, the rule does not report vulnerabilities for minor versions, resulting in incomplete vulnerability coverage.
+
+This issue will be resolved in the upcoming release. The updated rules will report vulnerabilities for minor versions as well, even when no specific fixed version is available.
+
+
+|===
 
 // |===
 
+// [#eos-notices]
+// === End of Support Notices
+// |===
 
 // |===
 
+