11.4.1 Release Notes: Fixed Issues

Document created by RSA Information Design and Development

on Apr 23, 2020

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

This section lists issues fixed since the last major release.

Security Fixes

Tracking Number	Description
ASOC-90460	CentOS 7 kernel security Update - https://access.redhat.com/errata/RHSA-2020:0374
ASOC-89324	CentOS 7 qemu-kvm Security Update - https://access.redhat.com/errata/RHSA-2020:0366
ASOC-89323	CentOS 7 kernel-rt Security Update - https://access.redhat.com/errata/RHSA-2020:0375
ASOC-88972	CentOS 7 java-1.8.0-openjdk Security Update - https://access.redhat.com/errata/RHSA-2020:0196
ASOC-88273	CentOS 7 fribidi Security Update - https://access.redhat.com/errata/RHSA-2019:4326
ASOC-88034	CentOS 7 java-11-openjdk Security Update - https://access.redhat.com/errata/RHSA-2020:0122
ASOC-87935	CentOS 7 SDL Security Update - https://access.redhat.com/errata/RHSA-2019:4024
ASOC-87912	CentOS 7 nss, nss-softokn, nss-util Security Update - https://access.redhat.com/errata/RHSA-2019:4190
ASOC-87313	CentOS 7 tcpdump Security Update - https://access.redhat.com/errata/RHSA-2019:3976
ASOC-87312	CentOS 7 kernel security Update - https://access.redhat.com/errata/RHSA-2019:3979

Log Collection Fixes

Tracking Number	Description
SACE-12961/ ASOC-89784	WinRM channel bookmark is returning 1 as the PULL response and corrupts the bookmark file.

Administration Fixes

Tracking Number	Description
SACE-12969/ ASOC-90751	When the user logs in to NetWitness Platform, the permissions of the user who previously logged in is applied.
SACE-12753	Custom feed verifies only the host name in the URL path and not the filename or path.
SACE-12563	When you edit the feed, the previously selected and deployed device groups are not selected, making it difficult to understand which are deployed.
SACE-11456/ ASOC-89259	The NetWitness Platform user interface response is very slow and takes up to 30-45 seconds to work.

Investigate Fixes

Tracking Number	Description
ASOC-92592-	From UEBA, when you pivot on a meta value containing a slash, the Investigate > Events view, does not display any results
ASOC-88157	The event reconstruction for a filename in the Investigate > Events view is querying the wrong meta key (ip.src ) instead of ip.dst in the FTP system parser.
SACE-13028	When logs are exported in XML format from the Events view or the Legacy Events view, the logs have incorrect closing tags. The closing tag is <Logs/> instead of the correct closing tag, </Logs>.
SACE-12498	After Brazil stopped using Daylight Saving Time, there is a one-hour discrepancy between the configured Profile timezone (Americas/Sao Paulo GMT -3) and the timezone used to display time in the Investigate and Respond views (Americas/Sao Paulo GMT -2).

Respond Fixes

Tracking Number	Description
ASOC-90551	Compressed payloads not displayed when using text reconstruction in Respond In 11.3.2 and 11.4, you may encounter a scenario when using packet reconstruction within Respond for network sessions containing compressed (for example, gzip) payloads.
ASOC-88665	Respond may stop processing alerts when Endpoint file alerts do not contain a SHA256 Checksum In 11.3.2 and 11.4, you may encounter Respond stopping the processing of alerts when handling certain alerts containing Endpoint events not containing a SHA256 hash of the offending file. This results in a failure to calculate risk scores for alerts and subsequently errors when attempting to process subsequent alerts.

Tracking Number

Description

ASOC-90551

Compressed payloads not displayed when using text reconstruction in Respond

In 11.3.2 and 11.4, you may encounter a scenario when using packet reconstruction within Respond for network sessions containing compressed (for example, gzip) payloads.

ASOC-88665

Respond may stop processing alerts when Endpoint file alerts do not contain a SHA256 Checksum

In 11.3.2 and 11.4, you may encounter Respond stopping the processing of alerts when handling certain alerts containing Endpoint events not containing a SHA256 hash of the offending file. This results in a failure to calculate risk scores for alerts and subsequently errors when attempting to process subsequent alerts.

Health and Wellness Fixes

Tracking Number	Description
SACE-12973	ADMIN > Health & Wellness > System Stats Browser tab, does not display Fan status and System Temperature.

Core Services (Broker, Concentrator, Decoder, Archiver) Fixes

Tracking Number	Description
SACE-13098/ ASOC-87266	Packet Decoder has very low session rates and capturing at 9.6G.
SACE-8177/ ASOC-47223	Syslog forwarder forwards only the logs that have meta attached to them and have the forward flag set in the Application Rule.

ESA (Event Stream Analysis) Fixes

Tracking Number	Description
SACE-12839	A Context Hub enrichment in an ESA Rule creates alerts for the older values that are deleted. This issue occurs when the list from which the Context Hub Enrichment is created is a recurring one with the Overwrite option. When the values are overwritten by new values, ESA alerts should not be triggered for the older values.

Tracking Number

Description

SACE-12839

A Context Hub enrichment in an ESA Rule creates alerts for the older values that are deleted.

This issue occurs when the list from which the Context Hub Enrichment is created is a recurring one with the Overwrite option. When the values are overwritten by new values, ESA alerts should not be triggered for the older values.

Context Hub Fixes

Tracking Number	Description
SACE-13086/ ASOC-90987	When converting a recurring feed to a Context Hub list, it displays a failed status.

Reporting Engine Fixes

Tracking Number	Description
SACE-11897/ ASOC-87262	When you edit an existing schedule of a report, you cannot select a data source if a data source was not previously selected.

Endpoint Fixes

Tracking Number	Description
SACE-12888/ ASOC-90565	In the Investigate > Hosts view, duplicate hosts are displayed for the same hostname but with different agent IDs as the agent was installed multiple times.

Upgrade Fixes

Tracking Number	Description
ASOC-92601	Unable to upgrade the NW Server host to version 11.4.1.0 using the Offline User Interface method. This issue occurs when upgrading from 11.4.0.0 or 11.4.0.1 to 11.4.1. For a workaround, see Known Issue ASOC-92601.This issue is fixed when upgrading from 11.4.1 to a later release.
SACE-13125/ ASOC-90992	PAM Kerberos authentication fails after upgrading to 11.4.0.0.
SACE-13119	After upgrading to 11.4 and reconstructing an event in the Legacy Events view, the metadata drill down options are missing under the View Meta option in the event reconstruction toolbar.
SACE-12649	After upgrading to 11.3 or later, Log Collector does not receive logs from the Proofpoint event source.
SACE-12586/ ASOC-86468	After running the backup script version 4.5 on a 10.6.6 system, an error "verify Puppet Certs validity on SA Server" is displayed.
SACE-12138/ ASOC-84298	When running the NetWitness Recovery Tool (NRT), the custom Meta Groups and Profiles are not imported as a part of the restoration process.
SACE-11531/ ASOC-79467	(Malware Analysis) After upgrading to 11.2.1.1, the Threatgrid module is not working and the RSA Cloud connection is not working via HTTP Proxy.
SACE-11196/ ASOC-77071	After installing version 11.2.0.0, the mongo sa.repo table does not show that the 11.2.0.0 repo is downloaded even though /var/netwitness/common/repo/11.2.0.0 is available.

Previous Topic:What's New

Next Topic:Known Issues

You are here

Table of Contents > Fixed Issues