5.x Release Notes
Release Notes for 5.xβ
To receive email notifications of new releases, please subscribe to this SUSE mailing list: https://lists.suse.com/mailman/listinfo/neuvector-updates
5.4.2 January 2025β
New Features:β
- NVSHAS-9726: The monitor now passes proxy URL.
- NVSHAS-9719: Announces the retirement of built-in certificates.
- NVSHAS-9715: Helm Chart value support for setting nodeport on controller and manager.
- NVSHAS-9710: Include a sortable
feed_rating
column into the Vulnerabilities tab. - NVSHAS-9669: Overall security score through REST API.
- NVSHAS-9590: Ability to choose which vulnerability score for all assets.
- NVSHAS-7555: Include "Auto Refresh" option under Security Events.
Bug Fixes:β
- NVSHAS-9662: Inconsistent Role/RoleBinding logic in Helm chart 2.8.2.
- NVSHAS-9652: Observed difference in syslog format in splunk.
- NVSHAS-9649: Container link produces 404 response code in security-event.
- NVSHAS-9613: NeuVector Manager Pod Error / NeuVector Web UI Unavailable.
- NVSHAS-9507: OCI container not getting scanned.
- NVSHAS-9443: Upgrade/Install through ArgoCD fails as it cannot create leases.coordination.k8s.io object.
- NVSHAS-9436: Possible CVE false negative against CVE-2024-7347.
- NVSHAS-8386: Private keys and self-signed certs still shipped in multiple images.
- NVSHAS-9754: [UI] Prevent Rancher relates SSO user disable Authentication of OpenShift or Rancher's RBAC.
- NVSHAS-9751: [Runtime Protection] Monitor Mode + Zero Drift is not generating any alerts when a child process is executed.
- NVSHAS-9721: UI should pop up appropriate error message when user inputs wrong registry name.
- NVSHAS-9696: Inconsistent colour indication of assets on vulnerability page.
- NVSHAS-9686: Hardcoded namespace for the registry adapter certificate in the Neuvector Helm chart.
- NVSHAS-9678: Excessive error traces after the linter changes.
- NVSHAS-9670: Manager: Plain text response double quotes issue and java unnamed library issue in sbt run.
- NVSHAS-9667: Setting
CTRL_PATH_DEBUG
env variable to error in controller deployment is not working. - NVSHAS-9665: File Access rule: Delete predefined rules produces "setRowData" error.
- NVSHAS-9664: Policy Group: Delete custom script produces "setRowData" TypeError.
The default types of manager and registry adapter service have been changed to ClusterIP. Users are still able to override the setting by overridding the manager.svc.type
and cve.adapter.svc.type
if NodePort is preferred.
In the NeuVector 5.4.2 release, support is discontinued for deployments using the built-in internal certificate. The certificate found at /etc/neuvector/certs/internal
within NeuVector 5.4.2 container images will be removed. To continue using NeuVector, users should:
5.4.2 New Installation:β
Using Helm:β
- Enable the
internal.autoGenerateCert
andinternal.autoRotateCert
flags in the Helm charts (these will be enabled by default starting with the 5.4.2 release). Alternatively, a YAML method is linked below.
Using YAML:β
- Provide an internal certificate using the existing methods: https://open-docs.neuvector.com/deploying/production/internal
Upgrading Previous Versions to 5.4.2:β
Please create and configure internal certificates from the scanner for the controller, enforcer, and registry-adapter to achieve a rolling update without losing data. It is still recommended to take a backup of your configuration before upgrading.
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/ca.cert" > ca.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.pem" > tls.crt
docker run -it --entrypoint=bash neuvector/scanner:3.654 -c "cat /etc/neuvector/certs/internal/cert.key" > tls.key
kubectl create secret generic internal-cert -n neuvector --from-file=tls.key --from-file=tls.crt --from-file=ca.crt
Sample 5.4.2 yaml with internal certificate configured: https://github.com/neuvector/manifests/blob/main/kubernetes/5.4.0/neuvector-k8s.yaml
PR for document update: https://github.com/neuvector/docs/pull/141/files#diff-b2546ca00e2b37017e5ff28da2c113e82473be290ed444af0c80b7c43680254cR252
In the case of a PVC configuration, users can configure an existing PVC in the new installation to restore a configuration.
Additional Note for Scanner:
For current users with versions prior to 5.4.2, the certificate will remain available in the neuvector/scanner:latest
until March 31, 2025. After this date, it will be removed. Users should plan to provide the same internal certificate to the controller, enforcer, scanner, and registry adapter to continue using the scanner.
Please note the stand-alone scanner will not be affected by these changes.
5.4.1 November 2024β
New Featuresβ
- NVSHAS-8583: Setting granular policy modes for rule sets, separate network policy mode and profile mode at per group level.
- NVSHAS-9440: Support separate network mode and Process and File mode in CRD.
- NVSHAS-9369: Add debug log category via helm deployment support for controller.
- NVSHAS-9040: Improve syslog message when admission control rule is denied in monitor mode.
Bug Fixesβ
- NVSHAS-9416: [Scanner] activemq-all-5.8.0.redhat-60024.jar can NOT be detected with any vul (but previous scanner build can).
- NVSHAS-9447: Controller/Scanner pods crashing - "Unsupported system Exit".
- NVSHAS-9278: CVE-2024-41110 is found in the latest scanner image.
- NVSHAS-9467: Custom group defined by the pod label does not propagate its profile data on the children containers.
- NVSHAS-9442: Deployment issue on ArgoCD.
- NVSHAS-9436: Possible CVE false negative against CVE-2024-7347.
- NVSHAS-9468: Fix CVE-2020-26160 to replace jwt-go with jwt:v5.
- NVSHAS-9517: Admission control is not consistent, getting incorrect results.
- NVSHAS-9532: The image scan is completed but deployment is still not allowed.
- NVSHAS-9558: JWT token expire reports http.StatusRequestTimeout 408.
- NVSHAS-9576: Clear password field for registry data when user uses controller mode with Jenkins to scan.
- NVSHAS-9425: Create nfq when container has vxlan.
- NVSHAS-9571: [Registries] Filter for all scanned image does not work well.
- NVSHAS-9589: Managed clusters disconnected - Version mismatch with primary cluster.
- NVSHAS-8824: User fails to delete own groups, cannot create namespace-scoped groups.
- NVSHAS-9605: Export group with invalid policy mode & process profile mode values is mistakenly allowed.
- NVSHAS-9608: Scanner does not report any error when controller reports an error for huge scan results ~23MB.
- NVSHAS-9534: Display error in admission controls.
- NVSHAS-9600: Cannot disable controller debug.
- NVSHAS-9631: Reduce some enforcer errors.
- NVSHAS-9645: Pre-existing CRD processing fails.
- NVSHAS-9592: No new scan despite new DB version.
- NVSHAS-9212: Display alerting msg in GET(/v1/eula) if the neuvector-binding-secret role(binding) is incorrect.
- NVSHAS-9367: Enhance error messages when registry fails to be connected.
- NVSHAS-9475: Background grid print is not fully covering when menu is collapsed.
- NVSHAS-9485: Incorrect message for 'Network Security Policy Mode' in UI.
- NVSHAS-9480: NV UI deployed on Rancher downstream cluster throws HTTP/403 after Rancher logout.
- NVSHAS-9547: Sorting is broken on the security risks --> vulnerabilities table.
- NVSHAS-9570: [Vulnerabilities] Change the legend description for different statuses on assets.
- NVSHAS-9561: Dashboard board overall security score should match the actual score.
- NVSHAS-9572: [Vulnerabilities] Filtered data was kept no matter user refresh or re-login on page.
- NVSHAS-9597: UI doesn't respond to any error when the controller returns 403 for POST(v1/group).
- NVSHAS-8682: CRD webhook service needs to be moved from crd helm chart to application helm chart.
Known issuesβ
- In the 2.8.3 chart release, we have moved a previously misallocated resource from crds to core. If you use both crds and core charts, you might see issues during upgrade if you deploy core first. To resolve this, upgrade the crds first and then core charts.
5.4 September 2024β
Overviewβ
- UI Improvements:
- Display Rancher SSO users.
- Manage JWT tokens.
- Enhanced image navigation, and scan result links.
- Security Enhancements:
- New compliance filters.
- Support for CIS benchmarks, and OCI image signing.
- Network & Monitoring:
- Advanced bandwidth and session tracking.
- DDoS monitoring.
- Multus network support.
- Cert Management:
- New notifications for expiring internal certificates, including rotation capabilities.
- Automation & Integration:
- Federation automation.
- Rancher RBAC integration.
- Improved admission control.
- Performance & Efficiency:
- Reduced memory usage.
- ISP data charge reduction.
- Scanner cache stats exposure.
- Usability Improvements:
- Bootstrap password support.
- Cloud billing data archiving.
- Namespace boundary enforcement.
New Features:β
- NVSHAS-9012: Displaying Rancher SSO users on NV UI that have the same user name.
- NVSHAS-8939: Provide an option on NV UI so that Rancher SSO session users can drop the current JWT token (i.e. logout).
- NVSHAS-7522: Easy image navigation through registries.
- NVSHAS-8148: Link from container image to registry image scan results.
- NVSHAS-9258: Add a new notification for expiring certificates and internal certs.
- NVSHAS-8915: Support for new compliance filters and Compliance report.
- NVSHAS-9403: Filemonitor-UI: Allow user to delete predefined file monitor rule.
- NVSHAS-8423: Detect group-level bandwidth, active session count, and session-rate violation based on configured thresholds.
- NVSHAS-9218: Support for federal and CRD groups for DDoS monitoring.
- NVSHAS-8461: Support CIS benchmarks for managed k8s services in the cloud.
- NVSHAS-7664: Reduce ISP data charges during registry scanning.
- NVSHAS-8868: Expose scanner cache statistics.
- NVSHAS-8676: NV Protect improvement for benchmark scripts.
- NVSHAS-9255: Customize Admission control search registries for image names without FQDN.
- NVSHAS-9144: ID added for vulnerability profile for easy identification.
- NVSHAS-7687: Support configuring log level (debug/error/info/warn) for enforcer and controller from CLI.
- NVSHAS-7518: Change internal certificates for NeuVector components.
- NVSHAS-9287: Enable internal cert rotation.
- NVSHAS-8562: Add internal cert expiration notification.
- NVSHAS-8486: Support Multus network interface.
- NVSHAS-7447: Rancher RBAC integration with NeuVector.
- NVSHAS-7822: Federation automation without scripting API calls.
- NVSHAS-8799: Create a Compliance Framework for importing Compliance Templates.
- NVSHAS-8773: Bootstrap password support during initial deployment.
- NVSHAS-6740: Improvement of zero-drift baseline profile by enforcing the learned list in protect mode.
- NVSHAS-8325: Enforce container namespace boundary for network rule.
- NVSHAS-8723: Archive cloud billing data.
- NVSHAS-9086: Reduce controller process memory usage by eliminating vulTrait data structure.
- NVSHAS-6979: Ability to include comment of response rule in alert content.
- NVSHAS-8845: Create APIKEY with role FedReader and FedAdmin.
- NVSHAS-9306: Admission Control configuration assessment shows rule ID responsible for allowed or denied deployments.
- NVSHAS-9078: Support for image signing for OCI images.
- NVSHAS-7945: Support DISA STIG benchmark for Kubernetes.
- NVSHAS-8234: Admission Control Logic allowing images that should be denied.
Bug Fixes:β
- NVSHAS-9005: TypeError in registries: Cannot read properties of undefined (reading 'total_records').
- NVSHAS-9085: Assets View PDF report shows 0% vulnerability even with present vulnerabilities.
- NVSHAS-9084: Assets View PDF report shows NaN when image list is empty.
- NVSHAS-9128: Security Events: Container cannot be displayed if there is no workload's namespace value.
- NVSHAS-9025: Neuvector vulnerability acceptance scope for containers.
- NVSHAS-9155: Registry Scan Image incorrect column name and missing File Name
- NVSHAS-9122: Neuvector master logs out any time when using "Multiple Cluster" with Rancher SSO login.
- NVSHAS-9266: Registry scan: Scan Report by Layer button should be hidden or disabled when there's no vulnerability.
- NVSHAS-9219: Allow users to enable server cert validation for auth servers.
- NVSHAS-9246: Filtering for CSV/PDF export does not work.
- NVSHAS-8947: Cannot import NV configuration when authenticated through Rancher SSO.
- NVSHAS-9282: UI: Editing OpenShift registry entry fails due to a missing token.
- NVSHAS-9098: Enhance risk page loading user experience.
- NVSHAS-9267: Do not allow UI on 5.4 master cluster to switch to pre-5.4 managed clusters because of REST API changes.
- NVSHAS-9285: UI: Dropdown list button overlaps with other elements.
- NVSHAS-9302: Cannot create APIKEY with role FedReader and FedAdmin.
- NVSHAS-8539: Reconfigure proxy setting loses password.
- NVSHAS-9293: Removal of unrelated image details in the vulnerability reports.
- NVSHAS-9238: UI doesn't refresh the displayed cluster name after it's changed.
- NVSHAS-9363: Notification Configuration > Webhooks grid are not properly aligned.
- NVSHAS-9362: Security Risk Vulnerabilities filter returns 0 results.
- NVSHAS-8699: Unable to distinguish the user if Rancher AD user is the same.
- NVSHAS-9062: Displaying Rancher SSO users on NV UI that have the same username (Conversion on controller).
- NVSHAS-9071: Some modules are not reported in the container scan only.
- NVSHAS-8242: gRPC call to test if controller handles critical severity.
- NVSHAS-8908: Parse X-Forwarded-Port correctly considering comma separator.
- NVSHAS-9024: AdmissionControl Risky Role Perf.
- NVSHAS-9091: Unable to report all modules under ol:9.1, photon:5.0, rhel:9.1, and amzn:2023 source in repo, registry, and standalone scan.
- NVSHAS-8997: Largely reduce per node policy slot number to improve performance.
- NVSHAS-9059: CRD groups visible in NV even after deletion from K8s.
- NVSHAS-9107: Goroutine crash at rest.handlerConfigLocalCluster.
- NVSHAS-9108: Port 18500 shouldn't be open.
- NVSHAS-9119: Goroutine crash at probe.(*FileNotificationCtr).AddContainer().
- NVSHAS-9125: CRD entry with invalid settings should not be allowed to create.
- NVSHAS-9124: Docker: many unexpected healthcheck process incidents are reported.
- NVSHAS-9111: NV should check
--event-qps > 0
. - NVSHAS-9130: Unexpected Container.Package.Updated incidents are found after a specific container is started.
- NVSHAS-9080: Fed reader user is unable to access some REST APIs.
- NVSHAS-9092: Namespaced user should not see global assets.
- NVSHAS-9116: The worker cluster is able to leave if the connection is dropped.
- NVSHAS-8980: Get host and tunnel interface on node successfully in oc 4.15.
- NVSHAS-9188: Set mgmt-br interface as host interface for harvester node.
- NVSHAS-4858: Not expand containers group in controller to improve policy deployment performance and reduce CPU and memory usage.
- NVSHAS-8700: Rancher AD user is unable to log in to NeuVector sometimes.
- NVSHAS-9121: Group's Network Monitoring Threshold setting cannot be edited.
- NVSHAS-9189: Scan will get stuck in scheduling after controller is shutdown and restarted.
- NVSHAS-9019: Fix unsynchronized link state for host interface.
- NVSHAS-8305: Remove built-in certificate.
- NVSHAS-9013: Removing BPF filter on the process monitor.
- NVSHAS-7853: TLS handshake EOF.
- NVSHAS-9290: User-added process profile rule not taking effect with ZD enabled.
- NVSHAS-9301: NV deployed on Rancher Prime cannot tell it's Rancher flavor.
- NVSHAS-9289: Allow upgrade when RBAC is missing.
- NVSHAS-7601: Improve restore from PV config backup during scenarios.
- NVSHAS-7687: Add syslog level setting for enforcer.
- NVSHAS-9292: Fix Ingress Egress exposure shows 0 Vulnerabilities.
- NVSHAS-9270: Support k3s for CIS benchmark pipeline.
- NVSHAS-9338: Alert 'Managed cluster [id] is disconnected from primary'.
- NVSHAS-9358: Image scan using proxy would fail.
- NVSHAS-9337: Send log message when SYN flood is detected.
- NVSHAS-9209: Delete domain cache when namespace is deleted from k8s.
- NVSHAS-8985: Federated registries disappear after controller restart.
Known Issue:β
- NVSHAS-9443: Upgrade/Install through ArgoCD fails as it cannot create leases.coordination.k8s.io object.
- Workaround: Create the given lease objects before upgrading to 5.4.0 using ARGO CD. Change the namespace if it is different than neuvector.
cat <<EOF | kubectl apply -f -
apiVersion: coordination.k8s.io/v1
kind: Lease
metadata:
name: neuvector-controller
namespace: neuvector
spec:
leaseTransitions: 0
---
apiVersion: coordination.k8s.io/v1
kind: Lease
metadata:
name: neuvector-cert-upgrader
namespace: neuvector
spec:
leaseTransitions: 0
EOF
5.3.4 July 2024β
Bug Fixesβ
-
The
host
andtunnel
interface are successfully retrieved with OpenShift CLI v4.15. -
The IP range 169.254.x.x is excluded from the host interface IPs.
-
Reexam host interface after 1 minute of enforcer startup.
-
Fixed an issue where the OpenID issuer URL regex was failing.
-
Remediates following CVEs:
CVE | Applies to | Impact |
---|---|---|
CVE-2023-42364 | busybox | π‘ Medium |
CVE-2023-42365 | busybox | π‘ Medium |
CVE-2024-6197 | curl | π‘ Medium |
CVE-2024-6874 | curl | π‘ Medium |
CVE-2024-5535 | openssl | π΄ Critical |
CVE-2024-4741 | openssl | π‘ Medium |
5.2.4-s5 July 2024β
- Remediates following CVEs:
CVE | Applies to | Impact |
---|---|---|
CVE-2023-42363 | busybox | π‘ Medium |
CVE-2023-42364 | busybox | π‘ Medium |
CVE-2023-42365 | busybox |