Merge pull request #882 from hlxsites/runtime-pascal-rn-pcee

[Runtime Security] RN-PCEE (Pascal)

docs/en/enterprise-edition/rn/known-issues/known-fixed-issues.adoc

@@ -383,6 +383,137 @@ CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not direct
 |*ISSUE ID*
 |*DESCRIPTION*
 
+// CWP-61444
+|tt:[Fixed in 33.00.169]
+
+| *Improvements in Amazon Linux Vulnerability Reporting*
+
+Vulnerability information for many Amazon Linux CVEs lacked consistency across different Intelligence Stream updates, including changes in severity levels and fixed status versions.
+To address this, several key improvements were made, including enhanced consistency across scans, improved handling of duplicated CVEs, accurate ALAS to CVE conversion, and refined kernel package rules. These changes ensure more reliable and actionable vulnerability information for all Amazon distributions and kernel packages.
+
+// CWP-58814
+|tt:[Fixed in 33.00.169]
+
+| *Standardizing Java Versioning for Accurate Vulnerability Mapping*
+
+Inconsistent version numbering for Java products led to several false positives in Prisma Cloud security scans.
+To ensure accurate mapping of vulnerabilities to Java versions, all Java product versions will be normalized to the standard 1.x format. For example, in the https://nvd.nist.gov/vuln/detail/CVE-2023-21930[CVE-2023-21930] entry on the National Vulnerability Database (NVD), OpenJDK 8 will map to Java 1.8.
+
+// CWP-58355
+|tt:[Fixed in 33.00.169]
+
+| *Enhanced Detection for Minor Versions in Alpine Packages*
+
+Alpine's security database shows vulnerabilities for each Alpine package, including fixed versions and associated CVEs. However, when the CVE does not include a fixed version, the rule misses vulnerabilities in minor versions, leading to incomplete vulnerability coverage.
+This issue has been fixed. The updated vulnerability rules ensure that minor versions are included, even when no specific fixed version is available.
+
+
+// CWP-61220
+|tt:[Fixed in 33.00.169]
+
+| *CVEs Resolved in Release 33.00*
+
+While alerts were generated for CVE-2024-6104 and CVE-2024-29018, Prisma Cloud was not directly vulnerable and remained safe to use. The alerts have been resolved in Prisma Cloud release 33.00.
+
+// CWP-58073
+| tt:[Fixed in 33.00.169]
+
+| Customers could pass invalid data to the `v1/alert-profile` and `collections` APIs. To address this issue, the following validations have been added:
+
+* For `v1/alert-profiles` APIs:
+
+** The name parameter must be less than 50 characters.
+** The email address must be valid.
+** The port parameter must not be less than 1.
+** The recipient’s email address must be valid.
+
+* For `Collections`:
+** The name parameter must be less than 50 characters.
+** The description parameter must be less than 200 characters.
+
+// CWP-59190
+|tt:[Fixed in 33.00.169]
+
+|*Improved Image Scanning*
+
+If the Defender disconnects while scanning an image that has the same tag, registry, repository, and credentials, it can lead to multiple scan requests of the same image. In addition, a race condition could sometimes prevent the image from being properly removed from the host container registry after scanning.
+This fix ensures that only one scan is performed per image, even if multiple scan requests are triggered by disconnections. This reduces the load on the Defender.
+
+The fix also addresses the race condition. However, not all possible race conditions are addressed:
+
+* If the same image is scanned in different repositories or registries, race conditions are not addressed by this fix.
+* If the same image is scanned in the same repository and registry but with different tags, the fix does not handle potential race conditions.
+
+
+// CWP-59443
+|tt:[Fixed in 33.00.169]
+
+| Previously, users experienced intermittent timeouts in a shorter timeframe than the default inactivity period, which was set to 300 minutes under *Settings > Enterprise Settings > User Idle Timeout > CX*. This issue has now been resolved, and all Prisma Cloud tabs log out only after 300 minutes of inactivity.
+
+// CWP-59841
+|tt:[Fixed in 33.00.169]
+
+| *Agentless Scanning - Support for OCI root compartment scans*
+
+OCI instances deployed in the root compartment were not scanned during Agentless scans. Instances in child compartments were scanned as expected, but root compartment instances were excluded without error. This issue is fixed-all compartments, including the root, are now scanned successfully.
+
+
+// CWP-60298
+|tt:[Fixed in 33.00.169]
+
+|*Compliance IDs 440/441 in Lamba Scans*
+
+Compliance IDs 440/441 triggered false positives during a serverless Lambda scan for kms permissions. This issue is fixed.
+
+// CWP-60356
+|tt:[Fixed in 33.00.169]
+
+| *Improved Clarity in Incident Log Messages*
+
+In certain cases, the command that triggered an incident was missing from the incident capture flow. This caused the messages in the Incident Explorer to occasionally lack clarity, leading to incomplete logs.
+The fix ensures that executed commands are now included in audit reports when available. Additionally, it prevents the generation of incomplete reports if the command is missing
+
+// CWP-60574
+|tt:[Fixed in 33.00.169]
+
+| Previously, when an image digest was updated for the same `{registry/repo:tag}` combination, the Console was updated but the UAI and UVE continued to display the old image digests. This issue is fixed.
+
+// CWP-60819
+|tt:[Fixed in 33.00.169]
+
+| *Reduced Registry Scan Duration*
+
+Prisma Cloud sometimes experienced extended registry scan times due to certain images not being correctly recognized.
+This led to the registry scan missing cached images, resulting in longer scan durations. The cache miss happened because the image ID hash from the Container Runtime API was missing the sha256 prefix.
+The issue has now been fixed by using the hash from the registry scan request sent by the Console, when available. This ensures cache hits and enhances scan performance.
+
+// CWP-60900
+|tt:[Fixed in 33.00.169]
+
+| Exporting discovered APIs to OpenAPI CSV files from the *Runtime > Monitor > WAAS > API discovery > Export CSV* page failed if the API had unsupported methods such as PURGE. This issue is fixed.
+
+// CWP-61291
+|tt:[Fixed in 33.00.169]
+
+| Previously, a "buffer full" error was reported with an HTTP 500 status code, when the same port was reused in a specific order across multiple apps in a single WAAS rule. This issue is fixed now.
+
+//CWP-61362
+|tt:[Fixed in 33.00.169]
+
+| Fixed an issue where compliance alerts for malware (Compliance ID 455) did not appear in daily email reports despite failed resources being detected. This fix ensures accurate reporting for agentless scans.
+
+//CWP-61375
+|tt:[Fixed in 33.00.169]
+
+|*Agentless Scanning - Resource Group Creation in Target Azure Account during Hub Scan Mode*
+
+Fixed an issue where resource groups were created in the target account during Azure agentless Hub scan mode. Now, resource groups are no longer created in the target account when a hub account is defined on it.
+
+//CWP-61752
+|tt:[Fixed in 32.07]
+
+|The issue related to interruption in the communication between a defender and the console--that was introduced by the newly introduced fail-safe mechanism aimed to prevent any impact to customer traffic or downtime--is resolved. The fix requires you to upgrade the Console and the Defenders to version 33.00.
+
 //CWP-61027
 |tt:[Fixed in 32.07]
 |For some GO package CVEs, Prisma Cloud did not completely report all the affected versions, particularly when multiple version ranges were involved, resulting in occasional false negatives.

docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-september-2024.adoc

@@ -2,7 +2,7 @@
 
 Learn what's new on Prisma® Cloud in September 2024.
 
-//* <<announcement>>
+* <<announcement>>
 * <<new-features>>
 * <<changes-in-existing-behavior>>
 * <<api-ingestions>>
@@ -14,6 +14,30 @@ Learn what's new on Prisma® Cloud in September 2024.
 //* <<deprecation-notices>>
 //* <<end-of-sale>>
 
+[#announcement]
+=== Announcement
+
+
+[cols="50%a,50%a"]
+|===
+|*Feature*
+|*Description*
+
+| *Lifecycle Support Update*
+
+tt:[Secure the Runtime]
+
+tt:[33.00.169]
+
+//CWP-61282
+
+| Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (N-2).
+
+Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto N-3 major releases).
+
+For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases.
+
+|===
 
 [#new-features]
 === New Features
@@ -45,6 +69,48 @@ tt:[24.9.1]
 
 |Prisma Cloud has enhanced its Prisma Cloud Technical Documentation https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-jira[Jira integration] to work with all Jira Cloud and Jira On-Premise versions including 9.0 and above. This enhancement will enable you to receive Prisma Cloud alert notifications in your Jira accounts.  
 
+| *Transition from OVAL to VEX Format for Red Hat Security Data*
+
+tt:[Secure the Runtime]
+
+tt:[33.00.169]
+
+// CWP-61485/CWP-59337
+
+| Prisma Cloud is transitioning from the OVAL format to the new VEX format that Red Hat has introduced and adopted for reporting security data and vulnerabilities in Red Hat artifacts.
+
+*Pre-33.00*: Until you upgrade to a 33.xx release, Prisma Cloud will continue using OVAL for vulnerability scanning with no expected impact.
+
+*33.xx*: After upgrading your Console and Defenders to version 33.00 or later, Prisma Cloud will switch to the VEX format for vulnerability reporting. This transition might result in a change in the number of reported CVEs due to the inherent differences between the VEX and OVAL content.
+
+*Comparison Between OVAL and VEX Formats*: With the OVAL format, Prisma Cloud reports vulnerabilities for each binary found during the scan. However, with the new VEX format, Prisma Cloud will report one vulnerability for the source package and provide information on related binaries.
+
+This means that the number of vulnerabilities with the same CVE ID will be reduced, as Prisma Cloud will report one vulnerability for the RPM package instead of multiple reports for each binary.
+
+*Continued Support*: Prisma Cloud will continue to support OVAL format for two major versions—v33.xx and v34.xx—to maintain compatibility with Defenders in pre-33.xx releases, as long as Red Hat continues to produce OVAL files.
+
+*Expected Console Loading Time in the 33.xx release*: For new Consoles paired with new Defenders, the Console loading time after a restart event will be approximately 1-2 minutes.
+
+*Console Memory Usage in the 33.XX release*: For on-premise users upgrading to the latest Console, the Console memory requirement is 8 GB. This requirement is only for the self-hosted editions.
+
+For a more detailed explanation of this transition, see the https://main%2D%2Dprisma-cloud-docs-website%2D%2Dhlxsites.hlx.live/en/compute-edition/assets/pdf/lookahead-transition-to-vex-format.pdf[Transition from Oval to VEX Files] document.
+
+If you have any concerns or need additional information about this transition, contact [email protected].
+
+| *Enhancement to WAAS Agentless Support*
+
+tt:[Secure the Runtime]
+
+tt:[33.00.169]
+
+// CWP-59339
+
+| WAAS agentless rules now support traffic inspection for AWS Application Load Balancers (ALBs) in addition to AWS EC2 instances. Ensure your AWS account is onboarded to the Prisma Cloud console and then configure the ALB rule.
+
+To add the ALB rule access *Defend > WAAS > Add Rule > Add Configuration*. Ensure your CloudFormation template is applied with the necessary permissions to your onboarded AWS account in the region where the ALB resides. You can view the scan results in the Prisma Cloud console to monitor and manage your ALB traffic inspection.
+
+NOTE: This feature is enabled on request. Please contact your Account team for more details.
+
 |===
 
 
@@ -228,6 +294,28 @@ Additional permission required:
 You must manually add the permission to a Custom role.
 
 
+| WAAS Agentless - Support AWS LB
+
+tt:[33.00.169]
+
+// CWP-59340
+
+| The https://pan.dev/prisma-cloud/api/cwpp/put-policies-firewall-app-agentless/[Set Agentless App Firewall Policy] API request is updated to support AWS Application Load Balancers (ALBs):
+
+* The “trafficMirroring > vpcConfig” property is modified to include three new fields for ALBs:
+** lbARN - ARN of the observed load balancer.
+** lbName - Load balancer name.
+** lbType - Load balance type.
+
+* The following existing fields are now applicable as follows:
+
+** instanceNames -  used only in EC2 rules.
+** subnetID - used only in EC2 rules.
+** tags - used only in EC2 rules.
+** vpcID - must be empty (””) for ALB rules.
+** autoScalingEnabled - must be true for ALB rules.
+
+
 |===