Releases: PaloAltoNetworks/twistlock-defender-helm
33.02.134
Release Notes
Scanning Support for Red Hat UBI Micro-images
Prisma Cloud now supports scanning of Red Hat UBI micro-images (versions 7, 8, and 9).
Improved Vulnerability Detection for non-RPM OpenShift Packages
Vulnerability reports for OpenShift non-RPM container components now ensure consistent vulnerability matching across all OpenShift packages.
This improvement reduces false positives by applying only relevant CVEs and excluding CVEs that have already been patched.
Improved Vulnerability Detection for Google Kubernetes Engine (GKE) Clusters
Vulnerability detection for Google Kubernetes Engine (GKE) Clusters includes the following enhancements:
- Integration with Google security bulletins
- Aligning CVEs with specific GKE cluster types and versions
- Expanded support for all GKE modes, including Autopilot
Helm Chart Updates
Fixed encoded Base64 environment secrets
The values ws_address and install_bundle were not encoded in base 64 in the envsecrets.yaml file if not using External Secrets Operator. Therefore it triggered a failure of these values not to be encoded in base 64.
Twistlock Defender DaemonSet Helm Chart 33.01.137
Release Notes
Multiple Intelligence Stream (IS) Builders for Compatibility across Console and Defender Versions
Starting from this release, Prisma Cloud will introduce versioning for the Intelligence Stream (IS) to ensure compatibility across different Console and Defender versions.
Purpose of Intelligence Stream (IS) versioning
-
Maintain functionality for older Consoles and Defenders: IS versioning ensures that older Consoles and Defenders continue to operate properly, even if they’re unable to support the latest Intelligence feeds (for example, due to changes in external data feed formats).
-
Reduce disruptions: Versioning helps minimize disruptions caused by updates, such as changes in downloaded JSON file fields that could impact CVE accuracy or result in duplicate CVEs.
Impact on Prisma Cloud Customers
-
Enterprise Edition (SaaS) customers: Aren’t affected as they always have the latest Console version.
-
Compute Edition (self-hosted) customers: IS versions will be aligned with specific Console versions. For example, older 31.xx and 32.xx Consoles will be supported by the IS version released for Console 33.00. When customers upgrade to the latest Console version, they will receive the most recent IS updates.
Vulnerability Reporting Consistency
-
New Intelligence Stream (IS) logic updates: These updates will only apply to the latest IS versions.
-
Vulnerability data: All IS versions will continue to provide up-to-date vulnerability information, and changes in IS logic or algorithms won’t affect the vulnerability metrics and reporting in the Console.
Support for Deploying Defenders on Podman Containers
Previously, Prisma Cloud supported scanning Podman images in the CI pipeline using twistcli. With this release, Prisma Cloud now supports deploying Defenders on Podman containers, providing comprehensive visibility and protection for workloads running in Podman environments.
This enhancement enables full protection for Podman containers, including continuous vulnerability scanning, compliance policy enforcement, and active runtime security monitoring.
To deploy a Linux Container Defender on Podman, navigate to Manage > Defenders > Manual Deploy > Single Defender. Select Container Defender - Linux as Defender Type. In the Container Runtime Type field, select Podman (the default is Docker).
If you select Podman, the installation script automatically includes the --install-podman argument.
If your Podman environment uses a custom runtime socket path, you can specify it using the --podman-socket argument.
For example, to use Podman with a custom runtime socket path, the installation command would be:
curl -sSL --header "<Bearer TOKEN>###" -X POST <TENANT URL>/api/v1/scripts/defender.sh | sudo bash -s — -c "stage-consoles-cwp.cloud.twistlock.com" -v --install-podman --podman-socket "<custom_runtime_socket_path>"SHA-256 Checksum for Defender Image Downloads
Prisma Cloud now enables users to validate the integrity of Defender images downloaded from the Console using a SHA-256 checksum, ensuring the downloaded image matches the server version.
To access the feature, do the following:
-
In the Console, go to Manage > System > Utilities.
The SHA-256 checksum is available next to the downloadable Defender image.
-
Click Show Checksum to view the checksum to verify the downloaded image.
This feature ensures that Defender images are secure and protected from tampering.
Twistlock Defender DaemonSet Helm Chart 33.00.169
Release Notes
Lifecycle Support Update
Prisma Cloud officially guarantees backward compatibility with up to two previous major versions (N-2).
Although the support lifecycle remains unchanged, starting from version 33.xx, Prisma Cloud will not restrict the usage of Defender versions or REST API calls from up to three major releases before the current version (upto N-3 major releases).
For example, with the current version at 33.xx, API calls and Defenders from version 30.xx will be allowed. However, support and complete backward compatibility is guaranteed for the 32.xx and 31.xx releases.
Transition from OVAL to VEX Format for Red Hat Security Data
Prisma Cloud is transitioning from the OVAL format to the new VEX format that Red Hat has introduced and adopted for reporting security data and vulnerabilities in Red Hat artifacts.
-
Pre-33.00: Until you upgrade to a 33.xx release, Prisma Cloud will continue using OVAL for vulnerability scanning with no expected impact.
-
33.xx: After upgrading your Console and Defenders to version 33.00 or later, Prisma Cloud will switch to the VEX format for vulnerability reporting. This transition might result in a change in the number of reported CVEs due to the inherent differences between the VEX and OVAL content.
-
Comparison Between OVAL and VEX Formats: With the OVAL format, Prisma Cloud reports vulnerabilities for each binary found during the scan. However, with the new VEX format, Prisma Cloud will report one vulnerability for the source package and provide information on related binaries.This means that the number of vulnerabilities with the same CVE ID will be reduced, as Prisma Cloud will report one vulnerability for the RPM package instead of multiple reports for each binary.
-
Continued Support: Prisma Cloud will continue to support OVAL format for two major versions—v33.xx and v34.xx—to maintain compatibility with Defenders in pre-33.xx releases, as long as Red Hat continues to produce OVAL files.
-
Expected Console Loading Time in the 33.xx release: For new Consoles paired with new Defenders, the Console loading time after a restart event will be approximately 1-2 minutes.
-
Console Memory Usage in the 33.XX release: For on-premise users upgrading to the latest Console, the Console memory requirement is 8 GB. This requirement is only for the self-hosted editions.
Enhancement to WAAS Agentless Support
WAAS agentless rules now support traffic inspection for AWS Application Load Balancers (ALBs) in addition to AWS EC2 instances. Ensure your AWS account is onboarded to the Prisma Cloud console and then configure the ALB rule.
To add the ALB rule access Defend > WAAS > Add Rule > Add Configuration. Ensure your CloudFormation template is applied with the necessary permissions to your onboarded AWS account in the region where the ALB resides. You can view the scan results in the Prisma Cloud console to monitor and manage your ALB traffic inspection.
This feature is enabled on request. Please contact your Account team for more details.
For more details check the features introduced in September 2024
Helm Chart Updates
Requests CPU and Memory values
Included the following values in all helm charts:
requests_cpu: '"256m"'
# requests_memory: '"512Mi"'This values sets the CPU and Memory requests in the Defender
Twistlock Defender DaemonSet Helm Chart 32.07.123
Release Notes
A new registry scan status
A new status, Partially Completed, has been added to the scan statuses for registry scans. This status is assigned when at least one image has been successfully scanned in the registry.
It also displays the number of images that have been scanned successfully.
Severity Mapping Update for Intelligence Stream
The severity values for the Intelligence stream are now mapped into 2 predefined values: “ High” and “Medium”.
Note: The severity values are already normalized to create rules. The current change is only specific to the severity reporting name change.
The following list defines the new vendor severity mapping:
- Current Severity: Important
- New Severity: High
- Vendors: Amazon, Oracle, RedHat, Rocky, Suse, Ubuntu
- Current Severity: Moderate
- New Severity: Medium
- Vendors: Oracle, RedHat, Rocky, Suse, Windows
- Current Severity: End-of-life
- New Severity: Low, Medium, High, or Critical based on NVD
- Vendors: Debian
Note: End-of-life will be set in the vulnerability status.
Note: The previous “unimportant”, “unassigned”, “untriaged”, “negligible” and “not yet assigned” severity mapping behaviour remains unchanged.
All the other unrecognized severity values from the different feeds will be assigned according to the NVD severity.
For more information, see CVSS Scoring.
End of support for Debian 10 (Buster)
Debian 10 (Buster) reached end-of-life on June 30, 2024. Starting from July 2024, the Debian Long Term Support (LTS) team has stopped providing security information for Debian 10.
Consequently, vulnerabilities related to Debian 10 (Buster) were removed from the Prisma Cloud Intelligence Stream.
Impact: Starting from this version, customers using Debian Buster (LTS or ELTS) will no longer see vulnerability data related to this version.
Enhancement to Photon OS and Amazon Linux OS Feeds
Prisma Cloud now parses Photon OS and Amazon Linux OS feeds using CVE IDs as the primary vulnerability identifier instead of advisory IDs. This change enhances Prisma Cloud’s ability to correlate third-party data, and use vendor-provided information, including backports, severity assessments, and vulnerability scores.
For more details check the features introduced in July 2024