23.3.21 Release Notes
Important Changes to Review
Changes to Paths for Hosted Customers
As of Release 23.3.7, accessing static data via /divvy/ will no longer work. In cases like this, you will need to use /static/ instead which should function identically. The most common examples or usage of these paths is in the Logo URL of custom packs that reference cloud provider images and in some Plugins. [ENG-20367]Updates to Endpoint Handling
InsightCloudSec’s 23.2.28 release included updates to our internal webserver library, Flask. As a result, some of our endpoint handling has changed in the following ways:
- Any requests submitting JSON to an endpoint must explicitly include the Content-Type: application/json header (e.g. for POST requests).
- Any requests POSTing empty bodies may fail with a 500 error as empty bodies for endpoints that expect one aren’t valid JSON.
- Plugins that declare custom endpoints will also be affected by the above changes.
For more information about the above changes, refer to the details linked here.
[ENG-23896]
InsightCloudSec Software Release Notice - 23.3.21 Release
Release Highlights (23.3.21)
InsightCloudSec is pleased to announce Release 23.3.21. This release includes updates to AWS Distributed tables with a deletion protection property. We have also updated our CIS Benchmark for Azure support with the Center for Internet Security (CIS) - Azure 2.0 Compliance Pack. In addition, this release also provides details around some previous Security Updates. Release 23.3.21 includes one new Insight, five new Query Filters, one updated Bot action, one new Bot action, and ten bug fixes.
- Contact us through the unified Customer Support Portal with any questions.
Self-Hosted Deployment Updates (23.3.21)
Release availability for self-hosted customers is Thursday, March 23, 2023. If you’re interested in learning more about becoming a hosted customer, reach out through our Customer Support Portal.
Our latest Terraform template (static files and modules) can be found here: https://s3.amazonaws.com/get.divvycloud.com/prodserv/divvycloud-prodserv-tf/example-usage/aws/release/divvycloud-tf-release.zip
Modules can be updated with the
terraform get -update
command.
Security Updates (Previous Version)
The following security updates were provided as part of our 23.2.1 release. Thanks to NephoSec for their findings and support on these updates. Details can be found here.
References
- Fixes CVE-2023-1304, an issue with getattr() method access
- Fixes CVE-2023-1305, an issue with box object access
- Fixes CVE-2023-1306, an issue with resource.db() method access
Resources (23.3.21)
AWS
-
We have updated harvesting locations to reflect newly supported regions for AWS Prefix Lists (VPCs) and AWS EKS. See Amazon Virtual Private Cloud (VPC) Prefix Lists now available in two additional regions and Amazon EKS is now available in the Asia Pacific (Melbourne) Region. [ENG-24631]
-
Added ability to disable Least Privileged Access (LPA): added delete button to the IAM Settings > AWS LPA Working Directory page so users can delete and disable their LPA to prevent unwanted costs. [ENG-24411]
-
Added deletion protection property to Distributed Tables (AWS): We have added the newly supported property
Deletion Protection
for Distributed Tables, which is available in Resource Details and Resource Listing. We have also added a Query FilterDistributed Table Deletion Protection
to find resources that have the property disabled or enabled. Finally, we have added an action "Update Distributed Table Deletion Protection" in BotFactory and Resource Details to change theDeletion Protection
property. [ENG-24567]
Insights (23.3.21)
AZURE
-
We updated the Azure CIS Benchmark to version 2.0. Azure Security Benchmark v2.0 builds on the previous work of Azure Security Benchmark v1.0. [ENG-24700]
-
Microsoft Defender for Cosmos DB Is Set To 'Off'
- New Insight identifies Azure subscriptions which have Microsoft Defender for Cosmos DB set to 'Off'. [ENG-18783]
Query Filters (23.3.21)
AWS
-
Distributed Table Deletion Protection
- New Query Filter identifies distributed tables based on whether or not they have deletion protection enabled. [ENG-24567] -
Load Balancer Is CDN Origin
- New Query Filter identifies load balancers that are functioning as an origin of a content delivery network (CDN), or optionally, a specific content delivery network. Query Filter can also identify load balancers not functioning as an origin of a CDN. [ENG-24420] -
Load Balancer Endpoint For Global Load Balancer
- New Query Filter identifies load balancers that are functioning as an endpoint for a global load balancer, or optionally, a specific global load balancer. Query Filter can also identify load balancers not functioning as an endpoint of a global load balancer. [ENG-24420]
AZURE
-
Cloud Account with Microsoft Defender for Cosmos DB Set To 'Off'
- New Query Filter matches Azure subscriptions which have Microsoft Defender for Cosmos DB set to 'Off'. [ENG-18783] -
Resource With Azure VNet Access From Unknown Subscription
- New Query Filter identifies Azure Resources that are allowing ingress network connectivity from an unknown third party VNet/subnet. [ENG-24833]
Bot Actions (23.3.21)
AWS
-
"Enable Continuous Backups for Distributed Table" - This Bot action was renamed from “Enable Continuous Backups”. The Bot action enables point-in-time recovery for a distributed table [ENG-24567]
-
"Update Distributed Table Deletion Protection" - New Bot action updates the deletion protection setting for a distributed table. [ENG-24567]
MULTI-CLOUD/GENERAL
- “Attach Policy to Role” - Updated the BotFactory action to reflect immediately in the local environment without harvesting down role and policy information from the cloud provider. [ENG-22920]
Bug Fixes (23.3.21)
-
Fixed a bug where StorageContainer resources were not available during IAC analysis. [ENG-24842]
-
“Invoke Serverless Function” - Expanded Bot action to support sending data from Azure, GCP, Alibaba Cloud, and Oracle. [ENG-24834]
-
Fixed a bug with exemption delete that would delete all exemptions when a filtered search was applied. [ENG-24815]
-
Fixed a bug where the latest Kubernetes versions supported by a cloud provider can be out of sync for IAC scans. [ENG-24746]
-
Fixed a bug that would not properly flag AWS accounts as having impaired visibility when permissions were validated within the UI. [ENG-24738]
-
Fixed an issue where MS Graph permissions could not be retrieved when credential objects had not been harvested or there were permission issues attempting to retrieve your Azure policy/role information. Added a fallback API call to retrieve this information. If the customer still cannot scan for their cloud visibility for azure they need to check their credential object has the right permissions as stated in the documentation. [ENG-24717]
-
Fixed issue where Azure Organization config edit form would not save unless credentials were re-entered. [ENG-24590]
-
Resolved bug in CloudVM job that occurred for instances with no known vulnerabilities. [ENG-24518]
-
Modified the database action "Modify Database/Big Data Instance Attribute" to no longer schedule public accessibility changes for Azure Flexible database instances. [ENG-24150]
-
Fixed bug where public Data Factories in Azure were not flagged as public in ICS. This occurred when Data Factories were deployed via IaC. [ENG-23638]
Reference: Required Policies & Permissions
Policies required for individual CSPs are as follows:
Alibaba Cloud
AWS
- Commercial
- Managed Read Only Supplement Policy
- Customer-Managed Read Only Policy
- Commercial Power User Policy
- GovCloud
- Read Only Policy
- Power User Policy
- China Read Only Supplement
Azure
- Commercial
- GovCloud
GCP
- For GCP, since permissions are tied to APIs there is no policy file to maintain. Refer to our list of Recommended
APIs that is maintained as part of our GCP coverage.Oracle Cloud Infrastructure
Host Vulnerability Management
For any questions or concerns, as usual, reach out to us through your CSM, or the Customer Support Portal.