Skip to main content

Illumio Core What's New and Release Notes for 23.5

Resolved Issues in Release 23.5.20

Enterprise Server

  • Lookup by external_data_reference not working (E-111950)

    When a label was created using the API and later edited in the UI, the lookup by external_data_reference did not work. This issue is fixed.

  • Rule writing issue using Illumination Plus (E-115225)

    Users could not write rules based on a port number using the automatic rule creation tool in Illumination Plus. This issue is fixed.

  • Save and Provision for a rule failed (E-115047)

    After performing Save and Provision for the rule, the Comment field did not show up and the rule was not provisioned. This issue was fixed.

  • Upgrade net-ssh-6.1.0.gem to 9.5.0.0 or higher to address CVE-2023-48795 (E-114139)

    Upgrade is performed.

  • Upgrade rails-6.1.7.4.gem to 6.1.7.7, 7.0.8.1 or higher to address CVE-2024-26144 (E-114138)

    Starting with Rails version 5.2.0, there was a possible sensitive session information leak in Active Storage. This vulnerability was fixed in Rails releases 7.0.8.1 and 6.1.7.7. and this issue will not be addressed.

  • Sudo access for ilo-pce (E-113745)

    This issue is fixed, and the command ilo-pce does not require sudo access.

  • App Group Rule listing is missing Rulesets (E-113259)

    Intra-scope rules were not showing up in the App Group rules menu. This issue is fixed.

  • The Policy check did not show disabled Pending Rules (E-112974)

    This issue is fixed.

  • Explore Traffic showing traffic for labels that do not match the query (E-112968)

    When running an Explore traffic query for a particular label combination, the results show traffic from a different query. This issue is resolved, and the results match the labels specified in the filters.

  • Changes to system_health events after upgrade to 23.2.20 (E-112922)

    After upgrading to PCE 23.2.20, system health events included "illumio_pce/cli" rather than "illumio_pce/system_health". This issue is resolved.

  • Expose ip_forwarding_enabled as a public stable API (E-112464)

    GET/PUT firewall_settings API is exposed as public stable for the  ip_fowarding_enabled field only.

  • Unresponsive web page when writing rules (E-110946)

    When users were writing a rule in the PCE, the webpage became unresponsive. This issue is fixed.

  • Replication/PCE Monitoring (E-110216)

    Replication Monitoring (Health and CLI) and PCE Monitoring tasks have been closed.

  • Explorer page bug (E-108585)

    When the policy was changed, the traffic view grid pagination in the draft view did not reset to page 1. This issue has been resolved.

Containers

  • Kubernetes Workload service network interfaces are unnecessarily updated upon every Node update (E-114962)

    On every network interface update of a cluster node, the network interfaces of every Kubernetes Workload of type Service were getting updated. This caused a large amount of  workload_ip_address_change event creations when used with thousands of services. This behavior worsened when many nodes were re-deployed at the same time (unpaired/paired) while there were Kubernetes Workloads already present.

VEN

Note

These notes apply to version 23.2.23

  • Combination of factors caused policy sync failure on RHEL 9.X OS VENs (E-115693)

    Policy sync failed and an error was thrown when the PCE applied custom iptable rules to VENs installed on RHEL 9.X OS (or later) workloads with iptables-nft-1.8.10 package. The issue stemmed in part from invalid syntax introduced by iptables-nft-1.8.10. This issue is resolved on 22.2.45-9201 VENs and later.

  • Potential for FQDN-based rules to fail (E-114964)

    In an environment implementing an IPv6 nameserver, FQDN-based rules may not have been enforced as expected. This issue is fixed.

  • VEN installation failed on Amazon Linux 2023 (E-113934)

    This issue was caused by a change Amazon made to the format of the release name in the system release file. This issue is fixed.

  • ICMP code misinterpretation caused a false positive tampering error (E-113439)

    After misinterpreting a rule specifying the ICMP protocol, the VEN generated a false positive tampering error. This issue was resolved by updating the VEN to normalize ICMP code.

  • Support for pairing VENs on AWS Workloads with IMDS v2 (E-109528)

    This VEN release provides support for pairing VENs on AWS workloads with Instance Metadata Service Version 2 (IMDS v2). This update was necessary to support IMDS v2 session-oriented authentication.

VEN Known Issue

Note

This note applies to version 23.2.23.

  • False positive firewall tampering error (E-113892)

    If the PCE pushes a policy that is identical to the existing policy already on the VEN, the more recent policy is not applied, and the existing policy remains in the current directory. This results in the current directory and the runtime firewall having different policy IDs. Because the VEN interprets this difference as firewall tampering, it generates a tampering error. This is expected behavior. Workaround: restart or suspend/unsuspend the VEN manually or through the PCE Web Console. The VEN flushes the existing rules and then applies the rules in the current directory.

Security Information

This section provides important security information for this release. For additional information about security issues, security advisories, and other security guidance pertaining to this release, see Illumio’s Knowledge Base in Illumio's Support portal.

  • json-jwt-1.13.0.gem upgraded to json-jwt1.16.6 (E-114939)

    json-jwt-1.13.0.gem upgraded to json-jwt1.16.6 to address CVE-2023-51774. This CVE did not impact Illumio PCE.