Release notes: 3.0.39

Find out what's new in version 3.0.39.

2 minute read

The StackRox Kubernetes Security Platform version 3.0.39 includes new features, bug fixes, and system changes. In this version, we’re also laying the groundwork for exciting new features in forthcoming releases. To upgrade to this release from a previous version, see the Upgrade StackRox section.

New features

Online telemetry

The StackRox Kubernetes Security Platform version 3.0.39 includes the option to enable online telemetry. If enabled, we use it to gather environment data, which helps us to troubleshoot support issues and improve the quality of the future StackRox Kubernetes Security Platform versions based on real-world usage. See Online telemetry for more information.

Diagnostic data

You can now generate a diagnostic bundle and send it to the StackRox support team to aid in investigating your support issues with the StackRox Kubernetes Security Platform.

Support for refresh tokens

The StackRox Kubernetes Security Platform now supports the OAuth 2.0 Authorization Code Grant authentication flow when you specify a client secret during configuration of an OpenID Connect (OIDC) integration. This authentication flow allows you to use refresh tokens to stay logged in beyond the token expiration time configured in your OIDC identity provider. See Configure an OIDC Identity Provider for more information.

Native Jenkins plugin

You can now use the new StackRox Container Image Scanner Jenkins plugin to scan container images for published software vulnerabilities. You can add it as a build step in your freestyle projects or pipeline to ensure that your infrastructure is in adherence with the StackRox Kubernetes Security Platform build-time policies.

Important bug fixes

Resolved in version 3.0.39.0

  • ROX-3769: Previously, when integrating the StackRox Kubernetes Security Platform with Splunk, the test would pass on invalid URLs. We’ve updated the logic to better integrate with Splunk (version 6.6.0 and newer). Now, when you integrate with Splunk there is no need to specify the complete URL. You can specify the HTTP Event Collector URL as https://<splunk-server-path>:8088, <splunk-server-path>:8088, or http://<splunk-server-path>:8088. See Integrate with Splunk for more information.
  • ROX-3953: We’ve added the install commands for Helm 3. You can run the helm charts for Helm 3 without the --name tag, helm install central ./central.
  • ROX-3971: Previously, the /v1/policies API endpoint always returned the lastUpdated property as Null. We’ve fixed this issue. The API now returns the correct time for edited policies and Null for unedited policies.
  • ROX-3985: Previously, Scanner would report errors for removed Debian packages. We’ve fixed this issue.

Resolved in version 3.0.39.1

  • Bug ROX-4209: We’ve fixed an issue where the compliance scan would not correctly consider UID 0 as root for the CSI Docker 4.1 benchmark.

Resolved in version 3.0.39.2

  • Bug ROX-4088: We’ve fixed an issue where the automatic upgrades didn’t work if an admission controller was running on the secured cluster.
  • We’ve fixed an issue where the Central deployment triggered panic events after an upgrade while trying to prune undeployed images.

Resolved in version 3.0.39.3

  • Bug ROX-4317: We’ve fixed an issue where the Central deployment triggered panic events on start-up if risk assessments were still present for deleted deployments.

Important system changes

  • We’ve deprecated the UseStartTLS field in email notifier configuration, and we now use enum which supports more authentication methods.
  • We’ve added a new ScannerBundle resource type for use with the StackRox Kubernetes Security Platform role-based access control. See the Resource definitions section for details. Users now need READ permission for the ScannerBundle resource to run the roxctl scanner generate command. Previously, any authenticated user could run this command.

Scanner

  • We’ve removed the Scanner v2 (preview). If you are using the preview version, follow the upgrade instructions to switch to the generally available version of StackRox Scanner.
  • Scanner now fetches its vulnerability definitions from https://definitions.stackrox.io instead of https://storage.googleapis.com/definitions.stackrox.io/.
  • We’ve split Scanner deployment into two separate deployments scanner and scanner-db to support Scanner autoscaling.

CLI

  • We’ve added the roxctl central cert command which you can use to download the Central’s TLS certificate. You can then use the --ca <downloaded-certificate> option to specify a custom CA.

Security updates

We’ve updated the Collector image to resolve the CVE-2017-14062 vulnerability in the libidn library. The older version of the libidn library (for parsing of internationalized domain names) was vulnerable to a possible buffer overflow. We identified this vulnerability in the Collector images by using the StackRox Scanner. We’ve upgraded libidn to a newer version that isn’t affected by the CVE-2017-14062 vulnerability.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.