End of support for AWS SDK for Java v1.x

tt:[26.2.1]

AWS is ending support for AWS SDK for Java v1.x. As a result some customers may experience a temporary warning that AWS SDK for Java v1.x is no longer supported, even if it is not present in their environment. This warning can be disregarded. The SDK is exclusively employed by the Prisma Cloud server and does not introduce any risk to your environment. All SDK-related runtimes are confined to the Prisma Cloud server side. The use of the legacy SDK has no impact your AWS environment.

Prisma Cloud will update to AWS SDK for Java 2.x in a future release.

Azure Permission Removal

tt:[26.2.1]

Azure has deprecated the following permission required to ingest resources. This permission will be removed as a requirement in a future release.

• Microsoft.Orbital/spacecrafts/read

Ingested Findings Sources

tt:[25.12.1]

Live Status Check Limitation

tt:[25.12.1]

Flow Logs Ingestion Limitation

tt:[25.12.1]

Vulnerability data for Windows hosts

tt:[34.02.133]

Vulnerability Data Access Issue in Prisma Cloud Enterprise Edition (Windows CSA only)

Issue

Users of Prisma Cloud Enterprise Edition are currently experiencing an issue preventing access to vulnerability details detected by cloud security agents (CSA) on Windows hosts. This data is inaccessible through both the user interface and the API.

Clarification

It is important to note that this issue solely affects the access to vulnerability data. Cloud security agents are successfully detecting and reporting vulnerabilities, and the underlying data remains intact. All historical and newly detected vulnerability data will become available once this access issue is resolved.

Resolution Timeline

Palo Alto Networks is actively working on a fix for this critical issue. A resolution is expected to be deployed and made available to users early next week. Please monitor official communication channels for updates regarding the fix’s availability and implementation steps.

RLP-156679

tt:[25.8.1]

Issues Found Warning during Onboard or Update

You may encounter an Issues Found Warning under Security Capabilities and Permissions > Misconfigurations > Asset configuration when onboarding or updating your AWS cloud accounts. This warning lists the required permissions for various API services.

You can safely ignore this warning message. It is trigerred by the backup:ListRecoveryPointsByBackupVault permission for the aws-backup-recovery-point API. The API is disabled by default.

CWP-63673

tt:[34.01.126]

RedHat Enterprise Linux 10 incompatibility with Defender Agents

RedHat deprecated iptables in RHEL 9 and does not support iptables in RHEL 10.

The WAAS defender agent, when deployed on RHEL10, relies on iptables and is incompatible with RHEL 10 due to this change.

Host details display incorrect Windows version

tt:[34.01.126]

When entering an RQL query, if the specified conditions are met for the aws-kms-get-key-rotation-status API, rotation and policy data (specifically in the fields keyRotations and keyPolicies in the config JSON) will not be ingested. The conditions include:

• KeyMetadata.Origin being one of ('EXTERNAL', 'AWS_CLOUDHSM')

• KeyMetadata.KeyManager being AWS

• KeyMetadata.Description starting with Default master

As a result of these conditions, the list of related assets for aws-kms-get-key-rotation-status API will not be visible.

Prisma Cloud uses EventBridge keys to authenticate events in the webhook, and these keys do not support key rotation. If you receive alerts for these keys 365 days after their setup due to the violation of 'AWS Secrets Manager - Ensure unmanaged secrets are rotated at least every 365 days' policy, you will not be able to resolve these alerts by rotating the keys.

Resolution— Alerts must be manually dismissed for each account. You can also perform bulk dismissal to resolve these alerts.

Google Cloud Run Functions (Gen2) May Not Be Scanned with Selective Registry Scanning

Google offers serverless functions in two versions: Cloud Functions ("Gen1") and Cloud Run Functions ("Gen2"). Prisma Cloud fully supports vulnerability scanning for Gen1 functions.

For Gen2, when code is uploaded to Google Cloud Run Functions, a container image is created and stored in Google Artifact Registry (GAR) or Google Container Registry (GCR). If Prisma Cloud is set to scan all registries in your GCP account, Gen2 function images will be scanned. To view results, check the relevant registry and refer to Google’s naming conventions for container images here.

If Prisma Cloud is configured to scan only selected repositories, the specific repository used by Cloud Run might not be scanned. We are working to support Gen2 function scanning in this scenario.

Discrepancies in Vulnerability Scan Results

In rare instances, discrepancies were observed between vulnerability scan results from Defender and twistcli host scans.

For example, certain compliance checks identified by twistcli were not reflected in Defender scan results, and vice versa. Additionally, for some operating systems, twistcli reported a higher number of high-severity findings compared to Defender.

Even though non-System Administrators do not have the permission required to activate subscriptions, the Subscribe button is displayed for various modules under Subscriptions.

Resolution—There is no impact on system behavior since Prisma Cloud runs a check, which prevents non-System Administrators from activating the subscription even if they click Subscribe.

Prisma Cloud only ingests resources for the Google Vertex AI AIPlatform API (gcloud-vertex-ai-aiplatform-index) API in the following regions where the service is available according to the Cloud Service Provider.

• asia-east1

• asia-east2

• asia-northeast1

• asia-northeast3

• asia-south1

• asia-southeast1

• asia-southeast2

• australia-southeast1

• europe-central2

• europe-west1

• europe-west2

• europe-west3

• europe-west4

• europe-west6

• europe-west9

• me-west1

• northamerica-northeast1

• northamerica-northeast2

• southamerica-east1

• us-central1

• us-east1

• us-east4

• us-south1

• us-west1

• us-west2

• us-west3

• us-west4

Impact— You may encounter the Matching Engine is not supported error in regions that are not used or where the API service is not supported.

K8s Defender Crash Loop on RKE2

The K8s defender pods on the RKE2 go into a crash loop if the defender is deployed using the default YAML file options.

Workaround: For Kubernetes defenders on RKE2, create the YAML file with the “SELinux Policy” option. This workaround is applicable to RKE2 only.

Prisma Cloud does not support the ingestion of GCP Storage buckets with the locationType Dual-region.

Impact: You may notice a mismatch between GCP Storage Bucket counts and the total number of GCP Storage Buckets listed in your GCP Project on Prisma Cloud.

Cloud resources located in disabled regions may trigger policy violations, resulting in false positive alerts. You may notice these misleading alerts associated with specific OOTB policies.

Workaround: You must manually dismiss these false positive alerts.

Some invalid assets related to accounts for which the cloud scan was not completed will be deleted.

Impact: Open alerts on such existing invalid assets, where asset type is Account Aggregate Entity will get resolved.

In certain cases, a system processing issue is causing deviations in the total, passed, and failed assets count.

Impact: Inaccurate overall asset counts will be displayed on Asset Inventory and Compliance Dashboard for some customers.

To ingest the gcloud-cloud-domains-registration API, you need the Viewer role or any least permissive built in roles such as Cloud Domains Viewer or Cloud Domains Admin, which includes the permissions domains.registrations.list and domains.registrations.getIamPolicy.

Custom roles cannot be configured to include these permissions, as Google Cloud Platform (GCP) does not permit it. As a result, Prisma Cloud will be unable to ingest the gcloud-cloud-domains-registration API when using a custom role.

Impact: If the Viewer role or domain related built in role is correctly configured, ingestion of the gcloud-cloud-domains-registration API will proceed as expected.

If the Viewer role or domain related built in role is not configured, the API ingestion will fail, and 'Missing Permissions' warning for the above permissions will not be displayed on the account status page.

When you filter assets associated with the Azure AD B2C tenants in the Europe region, you may notice that assets listed on the Inventory page under Region ID and Region columns incorrectly display as GCP Europe instead of Azure Europe. However, you can safely assume that the assets listed under the Region and Region ID columns are Azure Europe instead of GCP Europe.

Workaround: To verify the correct region, search for the location field in the asset’s JSON.

While testing integrations with third-party tools such as Jira, Webhook, Splunk, and Microsoft Teams in Prisma Cloud, "Unsecure url protocol" error may be displayed.

Workaround: Update all URLs used during the setup process from HTTP to HTTPS to resolve the error. This update ensures a more secure connection without impacting your existing alert notifications.

If you do not want to update the URLs from HTTP to HTTPS, you can choose to ignore the error. This will not have any impact on your existing alert notifications.

The following errors may occur when you onboard your OCI tenant to Prisma Cloud:

• Either tenant ocid or user ocid or home region is incorrect or insufficient permissions.

• Authentication Failed. Check Account Details.

You can safely ignore these errors. They occur due to the migration of OCI tenants from Oracle Identity Domains (IDCS) to the new OCI IAM on the OCI cloud services, resulting in a significant delay in activating the user API Keys used for OCI Cloud Account Onboarding.

To verify successful onboarding, go to Settings > Providers > Cloud Accounts and ensure your account Status is green after 24 hours.

The AWS Global Accelerator service returns an Access Denied error with the error assumed-role/PrismaCloudReadOnlyRole/redlock is not authorized to perform: iam:CreateServiceLinkedRole on resource. The issue occurs because the aws-global-accelerator-accelerator` API requires you to enable the service-linked IAM role to ingest metadata. To resolve the error, add the role to include the required permissions.

Workaround: If you do not want to enable the service-linked role, create a support ticket with Palo Alto Networks Technical Support to disable the AWS Global Accelerator service API.

When integrating Prisma Cloud with Jira, if the Jira issueType field uses space as a separator between the words, such as Service Request or New Feature , a 500 Internal Server error occurs while configuring Typeahead fields such as Reporter or Assignee, in a Notification Template. You will be unable to create a Notification Template for Jira with the Typeahead fields.

Workaround: Rename the field to remove the space or add an underscore. For example, ServiceRequest or New_Feature. You can then add Typeahead fields in a Notification Template.

Applies to Prisma Cloud Data Security only

Malware report is not available in PDF format.

When you enable Dataflow compression for a cloud account, the subnetwork creation status may display a failure message on the onboarding status page. This error displays because the time threshold to create the subnetwork and report completion exceeds the response time threshold on Prisma Cloud.

Workaround— Click to the previous page and click next to load the status page again.

AWS CloudTrail in the Osaka region (ap-northeast-3) do not display on the Prisma Cloud administrative console.

This issue requires a fix on AWS. When fixed on AWS, the issue will be automatically resolved on Prisma Cloud.

When deploying a Fargate Defender alongside an Nginx server, the Nginx server was inaccessible through a browser, despite both the Fargate Defender container and the Nginx server container launching successfully. Additionally, no access logs were generated in the CloudWatch log file.

Workaround: Customize the Nginx container’s error logging behavior by performing the following steps.

#1: Edit the nginx.conf as below.
# Make sure that this file is copied from the official Nginx container, and not newly created.
=
error_log stderr;
=
#2: Use the above custom nginx.conf and the following Dockerfile to build a new Docker image.
=
# Use the official Nginx image as the base
FROM nginx:latest
# Remove existing symlink for error.log if it exists
RUN rm -f /var/log/nginx/error.log
# Copy custom nginx.conf into the container
COPY nginx.conf /etc/nginx/nginx.conf
# Start Nginx
CMD ["nginx", "-g", "daemon off;"]
=

For an application that originates from an OS package, the vulnerability data for CVEs is sourced from the relevant feed for the OS package. In some cases, like with Amazon Linux and Photon OS, this CVE information is provided in security advisories such as Amazon Linux Security Advisories (ALAS) for Amazon, and PHSA for Photon. In such cases, the correlation for the relevant vulnerabilities is limited.

As an example, when the application “python” is sourced from an Amazon Python package, CVEs found for the python application (as a binary) will not be correlated with the relevant Amazon CVEs from the ALAS.

In Inventory > Compute Workloads, for users logged in with a role other than the built in system admin role, currently only data about cloud provider managed registry images and VM instances can be viewed. In particular, for such roles currently data about the following types of assets is not displayed:

• Run stage images

• Private registry images

• Build stage images

• On-premises hosts/hosts managed by cloud providers unsupported by Compute

• With the support for ACI in cloud discovery, here are the two issues:

  • Status: The status field currently utilizes Properties > ProvisioningState, which does not reflect the container status. For more information, refer to Azure Container Instances states.

  • Defend: The Defend functionality does not support Azure Container Instances (ACI). The Defend functionality is enabled across all accounts and services, and when selected, it redirects to Images > Registry Settings.

Duplicate Admission Rules

Six admission rules released in Version 32, Update 2 were found to be duplicates of older existing rules. If you need the functionality provided by these rules, we recommend disabling the old rules and using the new corresponding rules, as the older rules will be removed in an upcoming release.

The old rules and their corresponding new rules are as follows:

• Old rule: Twistlock Labs - CIS - Pod created in host process ID namespace. New rule: Twistlock Labs - PSS - Baseline - Pod with containers that share host process ID (hostPID) namespace

• Old rule: Twistlock Labs - CIS - Pod created on host IPC namespace. New rule: Twistlock Labs - PSS - Baseline - Pod with containers that share host IPC namespace

• Old rule: Twistlock Labs - CIS - Pod created on host network. New rule: Twistlock Labs - PSS - Baseline - Pod that allows containers to share the host network namespace

• Old rule: Twistlock Labs - Pod created with sensitive host file system mount. New rule: Twistlock Labs - PSS - Baseline - Pod created with sensitive host file system mount

• Old rule: Twistlock Labs - CIS - Privileged pod created. New rule: Twistlock Labs - PSS - Baseline - Pod should not run privileged containers

• Old rule: Twistlock Labs - CIS - Privilege escalation pod created. New rule: Twistlock Labs - PSS - Restricted - Pod that allows container privilege escalation

Note: Even though both the new and old rules are enabled by default, you will not receive duplicate alerts as only the first encountered rule is enforced.

CVE Exclusions Update

The following CVEs that are included in the Intelligence Stream feed are ignored: CVE-2022-29583 - GitHub Advisory Database as it is a disputed vulnerability. CVE-2024-3154 - Arbitrary Systemd Property Injection as Defender does not directly use this package.

Twistlock console unable to list image tags from remote repo

If defender and remote repository are in different subnet, the image tag pulling using podman search --list -tags is not supported with the same access token issued by registry.twistlock.com.

CWP-64581

tt:[Secure the Runtime]

tt:[34.04.145]

Resolved rare kernel panic in runtime monitoring

Fixed a race condition in fsmon that could lead to a kernel panic.

CWP-64543

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed WAAS rule forcing defender memory to 4GB

WAAS rule no longer forces defender max memory to 4GB when enabled on a cluster.

CWP-64542

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed defender memory settings preservation

Defender memory settings are now preserved correctly and no longer decrease unexpectedly.

CWP-64538

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed SSH host activity detection on Debian 13

SSH host activity is now properly detected on Debian 13 systems.

CWP-64513

tt:[Secure the Runtime]

tt:[34.04.145]

Improved version detection accuracy for vulnerability assessment

Defender and twistcli now correctly use OS package version when an app is correlated but its version is missing.

CWP-64494

tt:[Secure the Runtime]

tt:[34.04.145]

Reduced false positive CVEs from RPM Epoch detection

Fixed possible false positive CVE-2023-47038 due to RPM Epoch detection issues.

CWP-64486

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed container data display in image tab for agentless scans

Container data now displays correctly in the image tab when using agentless scanning.

CWP-64467

tt:[Secure the Runtime]

tt:[34.04.145]

Resolved yum hang during agentless scanning

Fixed an issue where the yum command would get stuck during agentless scanning.

CWP-64464

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed OCI agentless connectivity in Ashburn region

Resolved agentless connectivity issues for OCI in the Ashburn region.

CWP-64458

tt:[Secure the Runtime]

tt:[34.04.145]

Improved busybox version detection in agentless scans

Agentless scanning now correctly detects the full busybox version on hosts.

CWP-64454

tt:[Secure the Runtime]

tt:[34.04.145]

Multiple defender stability improvements

Backlog bug fixes for defender stability in Quinn Update 4.

CWP-64425

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed app-embedded defender exit on DNS resolution failures

App-embedded defender no longer exits when handleGetAddrInfoEvent fails.

CWP-64402

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed 502 bad gateway error in Runtime Security Module

Resolved a Runtime Security connectivity issue.

CWP-64398

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed image cleanup skipping images with empty hosts

Image cleanup logic no longer skips images when the hosts field is empty.

CWP-64382

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed RHEL 10 defender false iptables error logging

Host defender using nftables on RHEL 10 no longer logs errors about missing iptables.

CWP-64380

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed Cloud Run functions appearing in Radar when feature flag is off

Functions created with gcloud run are no longer listed in Radar view when the feature flag is disabled.

CWP-64367

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed ServiceNow alert integration reliability

Resolved issues with alerts failing to send to ServiceNow.

CWP-64359

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed CNNS container summary count mismatch

CNNS for containers now correctly sums up to match its detail counts.

CWP-64358

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed incident audit CSV serial number column

The twistlock_incidents_audit CSV file serial number column now increments correctly instead of showing constant #0.

CWP-64319

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed registry scan handling of long image tags

Registry scan image cleanup no longer fails when tag exceeds 128-character limit.

CWP-64237

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed consistent WAAS protection for Istio traffic

Istio traffic is now consistently protected by defender when using WAAS.

CWP-64233

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed registry scanner error message formatting

Registry scanner log now shows proper image pull error messages instead of %!s(MISSING).

CWP-64167

tt:[Secure the Runtime]

tt:[34.04.145]

Resolved log flooding from missing container images

Fixed "Failed to find image for container" messages flooding the log.

CWP-64117

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed ECS EXTERNAL launch type handling

Cloud Discovery now correctly handles ECS EXTERNAL launch type.

CWP-64116

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed auto-defend rules custom role filtering

Host and serverless auto-defend rules are now properly filtered by custom role.

CWP-64068

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed agentless scan status persistence after refresh

Agentless last scan field no longer disappears on page refresh.

CWP-64402

tt:[Secure the Runtime]

tt:[34.04.145]

Fixed 502 bad gateway error in Runtime Security Module

Resolved a Runtime Security connectivity issue.

CWP-64398

tt:[Secure the Runtime]

tt:[34.04.145]

Image cleanup logic skips images when hosts field is empty

Fixed an issue where images that have been deleted from their namespaces are still being shown in the console.

CWP-64117

tt:[Secure the Runtime]

tt:[34.04.145]

Cloud Discovery limitation resolved

ECS task definition containers with launchType: External that are listed in the Inventory are not present in the Prisma Cloud Console ( Runtime Security > Radar). This issue is now fixed.

CWP-63717

tt:[Secure the Runtime]

tt:[34.04.145]

Filepaths of secrets found by scanners other than agentless contain prefix of scan directory

Resolved an issue with the Vulnerability scan report for registry images showing vulnerabilities that are tagged to an image path which does not actually exist on the image.

CWP-64258

tt:[Secure the Runtime]

tt:[34.04.145]

Cloud Radar resource reporting

Fixed an issue with the inaccurate reporting for Defended resources.

CWP-64116

tt:[Secure the Runtime]

tt:[34.04.145]

Console - host and serverless auto-defend rules are not filtered by custom role

Resolved an issue with a custom role user not being able to access certain specifications when working with Defender Auto-Deploy rules.

CWP-64265

tt:[Secure the Runtime]

tt:[34.04.145]

Macro fields not populated

Fixed an issue with some macro fields not being populated, when a Compliance trigger is set up to forward alerts via Webhook to Service Now.

CWP-64459

tt:[Secure the Runtime]

tt:[34.04.145]

NF table support

Following the addition of NF tables support in WAAS, NF tables support is also now available for Defender (CNNF and Runtime Policy).

Note: Open issues relating to the Compliance scan flow, will be addressed in a subsequent release.

CWP-64543

tt:[Secure the Runtime]

tt:[34.04.145]

Defender Memory Settings

This fix prevents memory decrease if it is already set.

CWP-63255

tt:[Secure the Runtime]

tt:[34.04.145]

Unused Defender packages

Removed multiple unused packages to reduce exposure to CVEs.

PCSUP-29054

tt:[Secure the Runtime]

tt:[34.03.138]

Standardized Non-Privileged User ID for Defender CLI

To enhance security across all supported operating systems, the Defender component will now use the standardized, non-privileged User ID (1100) when executing Command Line Interface (CLI) commands.

CWP-63569

tt:[Secure the Runtime]

tt:[34.03.138]

Account-level reporting of scan date and time

The scan start and end date and time were earlier reported at the region level and weren’t precise in some situations. This fix ensures accurate reporting of scan start and end date and time at the individual account level.

CWP-63632

tt:[Secure the Runtime]

tt:[34.03.138]

Release name for Windows Server 2025 doesn’t resolve correctly

This issue is fixed now. The release name for Windows Server 2025 displays correctly.

CWP-64185

tt:[Secure the Runtime]

tt:[34.03.138]

Improved defender stability with Read-only 'runc' paths

Previously, in crio environments, if the paths to runc were located in read-only directories, the defender would delegate the calls to the first runtime it found, increasing the risk of node instability.

This issue has now been resolved, and defender will use the default runtime. To properly deploy the newer version containing this fix, follow these steps:

1. Remove the existing defender daemonset.

2. Ensure that no ZZ-twistlock.conf file is present in /etc/crio/crio.conf.d. If it exists, delete it.

3. Restart the affected node.

4. Deploy the new defender.

CWP-64196

tt:[Secure the Runtime]

tt:[34.03.138]

App-embedded Defender crashes on thread termination

The App-embedded defender crashes if the application it is protecting, or a thread of the application, terminates while it is connecting to the app-embedded defender.

CWP-61530

tt:[Secure the Runtime]

tt:[34.02.133]

False positives for Oracle images and hosts

The issue with CVE matching for Oracle images and hosts, which caused false positives due to missing Oracle module information, is fixed now.

CWP-63043

tt:[Secure the Runtime]

tt:[34.02.133]

False positives for OpenShift images

False positives were reported for OpenShift images due to incorrect parsing of the release label.

This issue is fixed now.

CWP-63194

tt:[Secure the Runtime]

tt:[34.02.133]

False positives due to incorrect Red Hat version comparison

Added support for the epoch prefix in Red Hat images. Previously, the epoch was omitted during image scanning, causing version comparisons to ignore it and resulting in false positives. This fix ensures the epoch value is included, allowing accurate version comparisons and preventing incorrect vulnerability matches.

CWP-63341

tt:[Secure the Runtime]

tt:[34.02.133]

Defender periodic scans are not disabled when the scan interval is set to 0

Even when the scan interval for images, containers and hosts is set to 0 on the Manage > System > Scan page in the UI, the defender continues to execute periodic scans every 24 hours.

This issue is fixed now.

CWP-63479

tt:[Secure the Runtime]

tt:[34.02.133]

Incorrect value in the CaaS containers column

The value in the CaaS containers column in the Registry images table on the Monitor > Vulnerabilities > Image > Registries page was not updated if the Fargate task was no longer available in Prisma Cloud.

This issue is fixed now.

CWP-63695

tt:[Secure the Runtime]

tt:[34.02.133]

Serverless scanning of Python packages in the requirements.txt file

Previously, dependencies in the requirements.txt file were not considered during vulnerability and compliance scans of Azure serverless functions and GCP Cloud Run functions for Python. Now, packages specified in requirements.txt are also included in the scan.

Note that for packages in the file to be taken into consideration, specific package versions need to be specified using "==". For example: docopt == 0.6.1

CWP-63711

tt:[Secure the Runtime]

tt:[34.02.133]

URLs for RHEL repos

The issue with CVE matching that caused false positives when relative URLs for Red Hat repositories are used is fixed now.

CWP-63808

tt:[Secure the Runtime]

tt:[34.02.133]

Gateway timeout while loading feeds

Feed changed notifications to Defenders are now batched and spread to prevent 504 Gateway Timeout errors from concurrent downloads. Defenders also use Exponential Backoff with Jitter for retries.

CWP-63880

tt:[Secure the Runtime]

tt:[34.02.133]

Base image history tagging

Scanning over 50 digests under one rule caused older base image digests to be deleted, removing base image links. The Base Image tag incorrectly remained under the Layers tab for these images. This has been fixed: the Base Image tag is now correctly removed from the Layers tab for images whose original base images were overridden.

CWP-63887

tt:[Secure the Runtime]

tt:[34.02.133]

False positives for Amazon ALAS CVE advisories

False positives were generated because of the change in the URL for the Amazon ALAS CVE advisory file. The underlying cause for these false positives is fixed now.

CWP-63924

tt:[Secure the Runtime]

tt:[34.02.133]

Node crashes on OpenShift 4.18 clusters

Node crashes may happen on OpenShift 4.18 clusters in case the defender is configured with a block policy.

This happens because OpenShift 4.18 has changed the default runtime implementation from runc to crun, and the defender didn’t handle that change correctly.

The issue is fixed now.

CWP-63935

tt:[Secure the Runtime]

tt:[34.02.133]

JWT tokens with Japanese characters fail to authenticate

Prisma Cloud roles with names that included Japanese characters caused an error.

This issue has been fixed.

CWP-63688

tt:[34.01.132]

tt:[Secure the Runtime]

No default outbound access for Azure Agentless Scanning

Microsoft Azure is retiring the facility to provide default outbound access. See the Microsoft announcement for more details.

This change will adversely impact Prisma Cloud’s ability to perform Agentless Scanning. To mitigate this issue, Prisma Cloud agentless scanners will employ Network Address Translation (NAT) gateway to access the console.

To enable Prisma Cloud agentless scanners to use the NAT gateway, the following additional permissions have been added to the onboarding Terraform template:

• Microsoft.Network/publicIPAddresses/read

• Microsoft.Network/publicIPAddresses/write

• Microsoft.Network/publicIPAddresses/delete

• Microsoft.Network/natGateways/read

• Microsoft.Network/natGateways/write

• Microsoft.Network/natGateways/delete

This fix ensures that Prisma Cloud Compute uses NAT gateway for agentless scanning.

CWP-63687

tt:[34.01.132]

tt:[Secure the Runtime]

Enhanced AWS resource-level permissions for copying Amazon EBS snapshots

Amazon AWS has announced enhanced resource-level permissions for copying Amazon EBS snapshots. Please see the Amazon announcement for more details. This change impacts Prisma Cloud agentless scanning of AWS compute instances.

To avoid issues that can arise from this change, the following statement has been replaced in the onboarding CFT:

"Condition": {
   "StringEquals": {
    "aws:RequestTag/created-by": "prismacloud-agentless-scan"
    }
   },
   "Action": [
    "ec2:CopySnapshot"
   ],
   "Resource": [
    "arn:aws:ec2:*::snapshot/*"
   ],
   "Effect": "Allow",
   "Sid": "PrismaCloudPrismaCloudAgentlessCopySnapshot8"
  }

With this statement:

{
   "Condition": {
    "StringEquals": {
     "aws:RequestTag/created-by": "prismacloud-agentless-scan"
    }
   },
   "Action": [
    "ec2:CopySnapshot"
   ],
   "Resource": [
    "arn:aws:ec2:*::snapshot/${*}"
   ],
   "Effect": "Allow",
   "Sid": "PrismaCloudPrismaCloudAgentlessCopySnapshot8"
  },
  {
   "Condition": {
    "StringEquals": {
     "aws:ResourceTag/created-by": "prismacloud-agentless-scan"
    }
   },
   "Action": [
    "ec2:CopySnapshot"
   ],
   "Resource": [
    "arn:aws:ec2:*::snapshot/snap-*"
   ],
   "Effect": "Allow",
   "Sid": "PrismaCloudPrismaCloudAgentlessCopySnapshot9"
  }

This change ensures that Prisma Cloud uses the enhanced resource-level permissions announced by Amazon AWS.

The statement changes won’t be shown in the status message as the status check is performed only on the action parameter in the statement; not the other parameters.

RLP-155307

tt:[Fixed in 25.6.1]

CWP-63359

tt:[34.01.126]

#IngressNightmare vulnerabilities

An enhanced mechanism for identification of packages helps in improved detection of vulnerabilities, such as the #ingressnightmare vulnerability issue.

This enhancement allows for earlier detection and remediation, proactively mitigating potential exploits.

CWP-63421

tt:[34.01.126]

The "defended" status for ECS task definitions inocorrectly set to false

ECS task definition entities discovered as part of cloud discovery have a "defended" status. This "defended" status field is set to true if a Fargate defender is detected as installed in one of the containers in the task definition. This "defended" status field was incorrectly set to false even when a Fargate defender was installed in one of the containers.

This issue is fixed now.

RLP-154631

tt:[Fixed in 25.3.1]

Agentless Module Impacts Credit Consumption

Resolved an issue with Agentless Scanning worker Virtual Machines (VMs) being counted towards Prisma Cloud credit consumption. Previously, credit computation incorrectly included credits attributed to worker VMs. While, the impact to overall credit consumption was negligible, the Cloud Security Posture Management (CSPM) module now identifies worker VMs spun up by the Agentless module. Consequently, credits attributed to Agentless Scanning worker VMs are no longer included in the credit consumption data that is reported.

CWP-59903

tt:[Fixed in 34.00.137]

Cleanup of system resources after registry scanning

A new scanner tag is generated when an image is pulled for scanning. In certain cases, this tag was not properly removed after the scan completed.

This issue is fixed now. Improvements to the registry scan mechanism ensure a proper cleanup of system resources after scanning.

CWP-62590

tt:[Fixed in 34.00.137]

Prisma Cloud reported incorrect fix dates for RedHat vulnerabilities

This issue occurred for vulnerabilities reported as fixed through RedHat feeds in the VEX format. This issue is fixed now.

CWP-60416

tt:[Fixed in 34.00.137]

Incorrect parsing of Ruby advisories that use RC versions

Incorrect parsing of Ruby advisories that use RC versions (such as '3.0.0-rc.1') caused false positive CVE reporting.

This issue is fixed now.

CWP-61862

tt:[Fixed in 34.00.137]

An incorrect fix date is reported for CVEs that did not provide a fix date initially

An incorrect fix date is reported for CVEs that did not provide a fix date initially and were then reopened and fixed (again) with a fix date that is later than the date when the issue was first reported as fixed. Prisma Cloud reported the date when the issue was first reported as fixed and did not update the fix date after the issue was reopened and fixed with a different date.

This issue is fixed now.

CWP-62128

tt:[Fixed in 34.00.137]

Changes in the Ubuntu feed caused false positives in some situations

Changes in the Ubuntu feed format added an asterisk in the condition for some CVE entries. This was not parsed correctly and led to false positives.

This issue is fixed now.

CWP-62193

tt:[Fixed in 34.00.137]

Incorrect fixed version reported for some CVEs reported in NVD

An issue with the parsing of NVD data led to an incorrect fixed version being reported in some cases.

This issue is fixed now.

CWP-62290

tt:[Fixed in 34.00.137]

Fixed Debian issues that have a CVE with the "nodsa\_reason" property set to "ignored" are reported as a vulnerability

Debian CVEs that have an Urgency of "unimportant" or a "nodsa\_reason" setting of "ignored" in the Debian feed were not reported as vulnerabilities when detected by Prisma Cloud Compute.

This issue is fixed now. Now, such CVEs will be reported as vulnerabilities with the status 'will not fix' by Prisma Cloud Compute.

CWP-62394

tt:[Fixed in 34.00.137]

In a few situations serverless credits were consumed even after disabling the serverless functionality

In setups/tenants that had a particular (core-serverless-scan-concurrent-flow-enabled) setting enabled, serverless scan results were not deleted. This caused some serverless credits to be consumed even after the serverless feature was disabled in the tenant.

This issue is fixed now.

CWP-62552

tt:[Fixed in 34.00.137]

Defender is unable to identify the OpenShift installation on the OpenShift nodes

The OpenShift version is not available in the RELEASE\_VERSION environment variable in the running 'openshift-tuned' process due to a change in OpenShift. It has now been replaced by a new process called cluster-node-tuning-operator that receives 'openshift-tuned' via command line args. Defenders were unable to detect the OpenShift installation due to this change.

This issue is fixed now.

CWP-62562

tt:[Fixed in 34.00.137]

Fixed RHEL issues are incorrectly flagged as unresolved due to an issue in mapping CPEs to RHEL repositories

After Redhat switched to the new VEX format for reporting CVEs and fixes, some fixed RHEL issues were incorrectly flagged as unresolved due to an issue in mapping CPEs to RHEL repositories.

This issue is fixed now.

CWP-62570

tt:[Fixed in 34.00.137]

Base images when scanned separately, displayed vulnerabilities that were not present

The scan results for some base images that were scanned separately incorrectly displayed vulnerabilities–even though no vulnerabilities were present in those base images. Whereas, images using those base images reported the vulnerabilities correctly and did not display any vulnerabilities for the underlying base images.

This issue is fixed now.

CWP-62575

tt:[Fixed in 34.00.137]

False positives observed for vulnerabilities reported in the RedHat VEX format without specific distro-release information

Vulnerabilities reported in the RedHat VEX format without specific distro-release information generated false positives.

This issue is fixed now.

CWP-62609

tt:[Fixed in 34.00.137]

Including packages of a Go application that are part of the main module in the scan results

Previously, Prisma Cloud scan results did not include Go packages that were part of the main module, resulting in the omission of these packages and their associated vulnerabilities in the console.

This issue has now been resolved.

CWP-62668

tt:[Fixed in 34.00.137]

Compliance check 598 always fails for Kubernetes containers running Redis if the container was created without using –requirepass parameter

Compliance check 598 fails and shows the error “App uses weak or default password” for Kubernetes containers running redis even though the container uses a strong password. This issue occurs if the container was created without using –requirepass parameter.

This issue is fixed now.

CWP-62883

tt:[Fixed in 34.00.137]

The 'fix status' column in the vulnerability report is blank for a few CVEs

The 'fix status' column in the vulnerability report is blank for a few CVEs due to missing information in the NVD vulnerability feed.

This issue is fixed now. The required information is now gathered using a separate NVD function.

CWP-62884

tt:[Fixed in 34.00.137]

Stale unpaired cloud security agents (CSAs) are not deleted

This issue is fixed now.

CWP-62994

tt:[Fixed in 34.00.137]

Container protected by an App embedded defender with File System monitoring enabled crashes when an SSH connection is made to it

Container protected by an App embedded defender with File System monitoring enabled crashes when an SSH connection is made to it.

This issue is fixed now.

CWP-63032

tt:[Fixed in 34.00.137]

Support Jenkins LTS CVEs detection

Prisma Cloud now extracts software edition information from CVEs and utilizes it for scanning. This enables Prisma Cloud scanners to differentiate software editions, such as Jenkins LTS releases from regular Jenkins releases, and accurately identify vulnerabilities.

CWP-63033

tt:[Fixed in 34.00.137]

Improved Vulnerability Reporting for Mirrored RHEL Repositories

Repository identifiers often change when repositories are mirrored from Red Hat’s Content Delivery Network (CDN) to alternative cloud environments, like AWS. This may result in inaccurate vulnerability reporting.

The issue has now been resolved by extracting the relative URLs of repositories from the image and comparing them with the corresponding relative URLs provided in the repository-to-CPE mapping file for CVE matching.

CWP-63110

tt:[Fixed in 34.00.137]

Incorrect data is returned when Prisma Cloud roles that have read only access to Windows hosts try to access and retrieve data from those Windows hosts

Incorrect data is returned when Prisma Cloud roles that have read only access to Windows hosts try to access and retrieve cloud metadata from those Windows hosts.

This issue is fixed now.

PCSUP-26234

tt:[Fixed in 33.03.138]

Storage issues during the Defender shutdown process

The Defender shutdown process in versions 32.02 through 32.05 (inclusive) shut down the storage component using a third-party package. This package used a flag to force storage to unmount during the shutdown, which lead to storage corruption in some cases. This issue was resolved in 32.06 by modifying the shutdown process to perform a non-forced unmount.

For any Defender instance from the affected versions that has already been shut down, upgrade the defender to a non-affected version (32.06 or later) and then reboot the node to clean up any storage corruption.

CWP-62576

tt:[Fixed in 33.03.138]

Resolving Severity Scores and CVE Links for GO Vulnerabilities in OSV Feed

When processing CVEs sourced from both the GO and GitHub Security Advisories (GHSA) formats in the Open Source Vulnerability (OSV) feed, incorrect severity scores and CVE links were assigned.

This issue is resolved. The fix ensures that the severity scores, CVSS values, and CVE links for GO vulnerabilities are accurate and aligned with the official OSV GO feed.

CWP-62313

tt:[Fixed in 33.02.134]

Improved Status Filter for Cloud Security Agent Page

The "Status" filter under Prisma UI > Manage > Defenders > Cloud Security Agent was displaying only the statuses present in the table, instead of all possible statuses.

This issue has been resolved. The CSA status filter now shows a list of all available statuses: Connected, Disconnected, and Lost. This ensures users can filter the table by any status.

CWP-35710

tt:[Fixed in 33.02.134]

Removing Namespaces After Resource Deletion

In some cases, namespaces remained visible even after all resources within them had been deleted. This led to incorrect vulnerability assessments as the namespaces were not properly removed from the results. This issue is now resolved.

CWP-62296

tt:[Fixed in 33.02.134]

Consistent Vulnerability Data for Red Hat-Sourced Packages

Certain vulnerabilities for Red Hat packages showed a Red Hat severity but CVSS scores from NVD.

This mismatch is now resolved. The fix ensures that both the severity and CVSS score now align with Red Hat’s data, eliminating inconsistencies.

CWP-62084

tt:[Fixed in 33.01.137]

Updating the list of binaries exposed to a vulnerability after rerunning a scan

Rerunning a scan didn’t update the binary packages exposed to a vulnerability. This issue is fixed now.

CWP-61947

tt:[Fixed in 33.01.137]

Boot volume encryption in agentless scanning

Fixed an issue with the agentless scanner boot volume default encryption.

CWP-61606

tt:[Fixed in 33.01.137]

CSV Export Compatibility with Excel

The exported CSV file from the Monitor > Vulnerabilities > Images > Deployed page could not be opened in Excel when the Hosts field exceeded the maximum character limit of 32,768 per column.

This issue is resolved. The fix ensures that the CSV now lists all the hostnames running the same image. However, if the total length exceeds 32,757 characters, the list is truncated, and the number of truncated hostnames is indicated in the CSV.

CWP-59281

tt:[Fixed in 33.01.137]

Improved vulnerability reporting for Debian images

When scanning Debian images, Prisma Cloud occasionally missed some CVEs related to specific package versions. This issue is fixed.

The fix prioritizes CVE matches from the security repository and Prisma Cloud now reports all previously missing CVEs for packages in Debian images.

CWP-58952

tt:[Fixed in 33.01.137]

Improved vulnerability detection for multiple Python versions

In previous versions of Defender, vulnerabilities were only detected and reported for a single Python installation on a host, even if multiple Python versions were installed. This resulted in False Negatives (FN), where vulnerabilities in other Python versions were missed.

The issue is fixed. Prisma Cloud will now scan and report vulnerabilities for each installed Python version on a host.

CWP-59654

tt:[Fixed in 33.01.137]

Support for Amazon Linux CVEs

Previously, Prisma Cloud reported several false positive vulnerabilities for Amazon Linux CVEs that were marked as "not affected" by Amazon.

Prisma Cloud now fully supports CVEs classified as “not affected” by Amazon, improving the accuracy of vulnerability reporting for Amazon products and resolving the false positive issue. The supported Amazon Linux distributions include Amazon Linux, Amazon Linux 2, and Amazon Linux 2023.

Prisma Cloud does not support CVEs labeled as "pending fix" or "no fix planned," as Amazon does not provide the required package version details for precise CVE status reporting.

Improvements in Amazon Linux Vulnerability Reporting

Vulnerability information for many Amazon Linux CVEs lacked consistency across different Intelligence Stream updates, including changes in severity levels and fixed status versions. To address this, several key improvements were made, including enhanced consistency across scans, improved handling of duplicated CVEs, accurate ALAS to CVE conversion, and refined kernel package rules. These changes ensure more reliable and actionable vulnerability information for all Amazon distributions and kernel packages.

Standardizing Java Versioning for Accurate Vulnerability Mapping

Inconsistent version numbering for Java products led to several false positives in Prisma Cloud security scans. To ensure accurate mapping of vulnerabilities to Java versions, all Java product versions will be normalized to the standard 1.x format. For example, in the CVE-2023-21930 entry on the National Vulnerability Database (NVD), OpenJDK 8 will map to Java 1.8.

Enhanced Detection for Minor Versions in Alpine Packages

Alpine’s security database shows vulnerabilities for each Alpine package, including fixed versions and associated CVEs. However, when the CVE does not include a fixed version, the rule misses vulnerabilities in minor versions, leading to incomplete vulnerability coverage. This issue has been fixed. The updated vulnerability rules ensure that minor versions are included, even when no specific fixed version is available.

CVEs Resolved in Release 33.00

While alerts were generated for CVE-2024-6104 and CVE-2024-29018, Prisma Cloud was not directly vulnerable and remained safe to use. The alerts have been resolved in Prisma Cloud release 33.00.

Customers could pass invalid data to the v1/alert-profile and collections APIs. To address this issue, the following validations have been added:

• For v1/alert-profiles APIs:

  • The name parameter must be less than 50 characters.

  • The email address must be valid.

  • The port parameter must not be less than 1.

  • The recipient’s email address must be valid.

• For Collections:

  • The name parameter must be less than 50 characters.

  • The description parameter must be less than 200 characters.

Improved Image Scanning

If the Defender disconnects while scanning an image that has the same tag, registry, repository, and credentials, it can lead to multiple scan requests of the same image. In addition, a race condition could sometimes prevent the image from being properly removed from the host container registry after scanning. This fix ensures that only one scan is performed per image, even if multiple scan requests are triggered by disconnections. This reduces the load on the Defender.

The fix also addresses the race condition. However, not all possible race conditions are addressed:

• If the same image is scanned in different repositories or registries, race conditions are not addressed by this fix.

• If the same image is scanned in the same repository and registry but with different tags, the fix does not handle potential race conditions.

Agentless Scanning - Support for OCI root compartment scans

OCI instances deployed in the root compartment were not scanned during Agentless scans. Instances in child compartments were scanned as expected, but root compartment instances were excluded without error. This issue is fixed-all compartments, including the root, are now scanned successfully.

Compliance IDs 440/441 in Lamba Scans

Compliance IDs 440/441 triggered false positives during a serverless Lambda scan for kms permissions. This issue is fixed.

Improved Clarity in Incident Log Messages

In certain cases, the command that triggered an incident was missing from the incident capture flow. This caused the messages in the Incident Explorer to occasionally lack clarity, leading to incomplete logs. The fix ensures that executed commands are now included in audit reports when available. Additionally, it prevents the generation of incomplete reports if the command is missing

Reduced Registry Scan Duration

Prisma Cloud sometimes experienced extended registry scan times due to certain images not being correctly recognized. This led to the registry scan missing cached images, resulting in longer scan durations. The cache miss happened because the image ID hash from the Container Runtime API was missing the sha256 prefix. The issue has now been fixed by using the hash from the registry scan request sent by the Console, when available. This ensures cache hits and enhances scan performance.

Agentless Scanning - Resource Group Creation in Target Azure Account during Hub Scan Mode

Fixed an issue where resource groups were created in the target account during Azure agentless Hub scan mode. Now, resource groups are no longer created in the target account when a hub account is defined on it.

For some GO package CVEs, Prisma Cloud did not completely report all the affected versions, particularly when multiple version ranges were involved, resulting in occasional false negatives.

This issue is fixed. Prisma Cloud now reports all the affected versions for GO package CVEs.

Add collections filtering behavior

Previously, image scan filtering by collection restricted the collections listed in the Collections column to the collection selected in the filter. This issue is fixed now. Now, for each image, all related collections of the filtered images are displayed, even when a specific collection filter is applied.

When a JAR file with a group ID is used as a dependency in other JAR files within the same image, Prisma Cloud might fail to properly identify or match CVEs to those JAR files.

This issue is resolved. Prisma Cloud now correctly handles group IDs in both the Defender and the Console, improving the ability to identify CVEs accurately for such JAR files.

Previously, Prisma Cloud skipped scanning Federal Information Processing Standards (FIPS)-enabled OpenSSL packages to avoid overriding older releases, and instead matched against non-FIPS versions. This led to inaccurate vulnerability reporting.

This issue has been fixed. Prisma Cloud now fully supports scanning FIPS-enabled OpenSSL versions, ensuring correct vulnerability detection and eliminating false positives.

Previously, errors encountered during image scans by Defender were not added to the console log.

This issue has been fixed. Now, when Defender scans images, error messages are printed to the console log along with the image ID and the name of the Defender.

Resolved parsing issues in vulnerable package versions.

The fix resolves the following issues related to detection of vulnerable package versions:

• Correct parsing of vulnerable package versions.

• Parsing of version ranges with different prefixes.

• Handling of conditions for multiple versions to ensure they are added to the Intelligence feed. This resolves both false negative and false positive alerts.