An issue detected in release 4.47 related to the secure communication update introduced in this release may cause a stability issue with the Collector. Therefore, we recommend updating your solution to the latest (at least 4.48 or above) version as soon as possible.
The 4.53.x releases includes several important security enhancements and security vulnerabilities fixes related to SAML integration. Customers using SAML and SSO to authenticate & authorize need to take several actions when upgrading the backend with this release (4.53.1), while SaaS customers are required to contact our Support to review and update their SAML settings.
For more information on the specific updates and required steps read here.
- Bug Fixes:
- Fixed a bug that caused ARC screen loading issues when opening for a link without being logged in
- Fixed wrong redirection to 403 page following ARC screen errors which shouldn’t redirect there
- Omitted empty separators when such are found in the expression of the SAML groups attribute
- Bug Fixes:
- Fixed a rare bug that caused the collector to fail processing of classes, which resulted in "Unknown Method"s in the ARC screen. To apply this fix as part of the upgraded Collector it is required to wipe the existing Collector's data during the upgrade (as described here).
- Minor improvements:
- Added internal log print for .NET deployment name feature
- Security updates:
- Applying strict parsing of the SAML assertion group attribute expression: any user with missing or incorrect (non existing) assignment of an Environment name or Role, or using an empty expression will be denied access to the system. We will provide a backwards compatibility mode for an interim period.
- Added an option to restrict the SAML group attribute name to a single attribute name. This will be an optional property for the next 3 months, and will be restricted to a default attribute name or a given name after this period.
- Added a new property to allow to set the default access role for authenticated users. This role is used if using the simplified SSO mode, or when using SAML Groups attribute with backwards compatibility mode enabled and an empty expression. The current default role is “Member”. The default role will be changed to “No_Access” in 3 months (unless otherwise set specifically). It is therefore advised to set the default role in advance as a best practice and to prevent unwanted authorization results.
- Improved user authorization flows when accessing the application through direct ARC or Dashboard links. Unauthenticated users will be redirected to their IDP or to the Login page if they use basic authentication or have more than a single domain. Authenticated users without specific permission into an environment accessed through a direct link will receive a no-permissions error with basic details they can use to request access.
- Adding support with SAML assertions containing an ‘Unspecified’ KeyDescriptor.
For more information on using SAML for authentication & authorization read here.
- A new admin-cli internal command to be used by direct guidance of OverOps Support team in specific scenarios where a Jar file is missing on the storage server. This command can help recover this file by enabling the micro-agent to resend it for processing (specific cases of ERR-3002 when trying to access a snapshot).
- Updated the Backend email libraries to support TLS for emails sent by the backend server.
- Fixed a bug which occurs when using OpenID to log in on a browser with multiple user profiles which resulted in a wrong user profile being used to log in.
- Issue getting Reliability Dashboards connectivity for onprem setup with existing proxy_url / frontend_url / host_url options
- Added io.opentracing and okio to our blacklist (known 3rd party libraries for which information isn’t collected)
- Performance optimizations
- Bug fixes:
- Fixed finally block handling (fix relevant for the Java 10-11 agent edition only)
- Using org.rocksdb with OverOps caused a seg fault error when automatic timers were enabled (Dtakipi.parallax=1)
- Fixed case where Collector rejected agent connections with ‘Max capacity reached’ error
On the ARC screen and on the dashboard grid we will provide an automatic deployment name information which is based on the hit location - this information is extracted from the version number on the hit location path. For more information on how this feature works and how to control it, read here.
Added the following libs to our blacklist (known 3rd party libraries for which information isn’t collected): PlainElastic.Net, ZooKeeperNetEx, Avro, MyCouch, EnsureThat, Confluent, App.Metrics, TaskTupleAwaiter, DataAnnotationsValidator, RabbitMQ.Client, Orleans, OrleansDashboard, MoreLinq, Nuclex.Cloning, MySqlConnector, NUnit, Nito
Upgraded OverOps bundled Grafana to version 7.1.1
- Quality Report was timing out when accessing the report from a link in the SAAS environment
- User can set the home screen in the grafana settings
- Transactions dashboard did not allow multi-selection for "Deployments"
- Multi Selected fields were shown all across the screen
- Added SonarQube support for .NET apps
Updated 6 days ago