Illumio Core What's New and Release Notes for Release 24.2

ruby-saml

ruby-saml, a third-party component in the PCE, was impacted by CVE-2024-45409. It is now fixed, as the impacted component was upgraded.

Last updated policy timestamp for C-VENs reflects Kubernetes Workload policy changes (E-118372)

The last updated policy timestamp on C-VENs now updates after a C-VEN successfully updates the policy for its pods.

Navigation error while navigating to Authentication Settings > SAML: Not Found (E-118183)

In PCEs running 22.5.32, sometimes going to Authentication Settings > SAML resulted in the attempted navigation being cancelled, and a "Navigation error details" popup appearing.

PCE sending partial IPP instructions (E-117863)

PCE was sending partial IPP instructions, which was causing instruction replacement due to the current Kubelink's inability to receive partial instructions. This issue is resolved.

Erroneous Ransomware Exposure status for AIX and Solaris workloads (E-117858)

Solaris and AIX workloads always showed their Ransomware Exposure status as Protected. This issue is resolved.

Unmanaged workloads created incorrectly (E-117637) 

Unmanaged workloads created via the Deny Rules menu were incorrectly created with the previous creation's Name and hostname. This issue is fixed.

Policy generator throwing an error when saving rules (E-117499)

When users tried to save the rule with custom iptables rules, the Policy generator was throwing an "Unexpected input validation error". This issue is resolved.

"Duplicate key value" error occurs during database migration phase of PCE upgrade (E-117235)

When upgrading the PCE from 22.5.32 to 23.2.21, during database migration the following error occurred: ERROR: duplicate key value violates unique constraint "flow_process_references_7_org_id_region_id_value_idx.

Missing app-tiers label on pod using annotation (E-117004)

 In non-CLAS (legacy) container clusters, when applying Illumio labels through Kubernetes annotations, a label key containing a dash  is not properly assigned to Container Workloads. For example, a pod annotation of annotation.com.illumio.app-tiers with a label value of AT_A is not created with label type App-Tiers nor the label AT_A.  This issue is now resolved for new Container Workloads created on this release. However, upgrading the PCE to this release does not fix existing Container Workloads that have labels containing a dash character. To fix such existing Container Workloads, you can edit the Container Workload Profile to add another possible value for the dash-containing label. After saving this edit, existing Container Workloads get re-labelled correctly to their assigned annotation values.

NEN 2.6.20 is stuck in "ACL generation pending" (E-116805)

In a configuration with a 2.6.20 NEN paired with a supercluster member on PCE Version 22.5.32-12, running "Generate ACLs" never completed, and only showed the "ACL Generation Pending" message without ever producing an ACL. 

CLAS - Rules are not created for Kubernetes Workloads and VIPs (E-116721) 

In CLAS-enabled deployments, rules created between a Kubernetes Workload and a VIP (from a virtual server, for example a F5 Virtual Server) are not created even after provisioning. These rules fail to appear in the PCE Web Console. This issue is resolved. The new runtime environment variable clas_workloads_ipset_only_changes_enabled must be set to false in the PCE runtime_env.yml file (under agent_service:) for the PCE to correctly send Virtual Server instructions to Kubernetes Workloads.

UI fields fail to occasionally load under Rulesets and Rules (E-116648)

Sometimes when writing a rule in 24.1.3-PCE, the Sources or Destination fields never properly loaded or were populated with labels that were chosen. This could occur when viewing a grid layout in smaller screen sizes, which reduced the source/destination selector dropdown height and caused options to be improperly displayed or hidden completely with a scroll. 

Last updated policy timestamp for C-VENs reflects Kubernetes Workload policy changes (E-116258) 

The last updated policy timestamp on C-VENs now updates after a C-VEN successfully updates the policy for its pods.

Header manipulation issue fixed (E-116114)

Appropriate validation for host header was added to avoid any host header manipulation.

curl upgraded to v8.8.0  (E-115842)

curl was upgraded to v8.8.0 to address CVE-2024-7264, CVE-2024-6197, CVE-2024-2466, CVE-2024-2398, CVE-2024-2379, and CVE-2024-2004.

External users with multiple scopes reporting PCE slowness (E-109314)

External users with many scopes in their RBAC permission have been reporting PCE UI slowness, especially when browsing the VENs tab and querying traffic. This issue is resolved.

False positive IPSec tampering error in platform.log (E-118562)

After disabling rules with SecureConnect options, the error IPSec policy tampered nonetheless appeared in the platform.log every 10 minutes. This issue is resolved. The error no longer appears in this circumstance.

VEN misinterpreted flow direction (E-118007)

Linux VENs could fail to determine the flow direction correctly in some circumstances,  (for example, for UDP packets sent to a broadcast IP address), resulting in the VEN reporting an inbound flow as an outbound flow. This issue is fixed.

Transient environmental variable could prevent applying policy (E-117699)

While upgrading any VEN version on Solaris workloads, it was possible for VEN processes to inherit transient environment variables from the OS pkgadd command (for example, $TMPDIR). This issue could've prevented the VEN from applying policy until the VEN was manually restarted. This issue is resolved.

Policy application failed in some circumstances (E-117246)

Some earlier VEN versions failed to apply policy if the workload on which it was installed had multiple valid IPv6 DNS addresses. This issue is fixed.

Bug in nftables versions pre-0.9.2 prevented policy application (E-116635)

Policy failed to load on VENs installed on RHEL Linux 8/9 workloads with a version of nftables earlier than 0.9.2. This issue is resolved.

Issue affecting the persistent connection between PCE and VEN (E-116177)

A regression was introduced into 22.5.33 and 23.2.23 Windows VEN, which could cause the Event Channel between VEN and PCE to stop functioning, resulting in a policy convergence delay. This issue is resolved.

PCE didn't recognize external IP address of external Azure VM (E-115935)

Unix VENs failure to correctly detect Azure environment prevented the PCE from recognizing the external IP addresses of the workloads. This issue is resolved. VENs now correctly detect when they're operating in an Azure environment,

ICMP code misinterpretation caused false positive tampering error (E-113439)

After misinterpreting a rule specifying the ICMP protocol, the VEN generated a false positive tampering error. This issue was resolved by updating the VEN to normalize ICMP code.

Improper VM shutdowns caused VEN data file corruption (E-113231, E-109231)

If a workload was shut down improperly, such as by a sudden loss of power, and the kernel crashed, some critical VEN data files could've gotten corrupted, preventing the VEN from loading policy. This issue is resolved. Critical VEN data files are now more resilient if the workload is shut down improperly.

Support for pairing VENs on AWS Workloads with IMDS v2 (E-109528)

This VEN release provides support for pairing VENs on AWS workloads with Instance Metadata Service Version 2 (IMDS v2). This update was necessary to support IMDS v2 session-oriented authentication. 

Improper VM shutdowns caused VEN data file corruption (E-109231)

If a workload was shut down improperly, such as by a sudden loss of power, and the kernel crashed, some critical VEN data files could've gotten corrupted, causing the VEN to lose connectivity with the PCE. This issue is resolved.  Critical VEN data files are now more resilient if the workload is shut down improperly.