1. Fortanix
  2. Downloads
  3. Data Security Manager (DSM)
  4. DSM Software Release Notes
  5. 4.6 (On-prem and SaaS)

[4.6] Patch - May 16, 2022

Last Updated: 

Fortanix Data Security Manager (DSM) 4.6.2057 provides an overview of the resolved issues.

WARNING
  • It is “REQUIRED” to upgrade Fortanix DSM to version 4.3 or 4.4 before upgrading to version 4.6.2057. If you want to upgrade to 4.6.2057 from an older version, please reach out to the Fortanix Customer Success team.
  • Before downgrading Fortanix DSM from version 4.6.2057 to older releases, remove all the IPv6 rules under the cluster IP-Policy setting.
NOTE
  • After the software package is uploaded, the expected time to upgrade a 3-node cluster is about 1.5 to 2 hours from version 4.3 or 4.4 to 4.6.2057.

1. Bug Fixes

  • Fixed an issue where the GetAccountUsage API had an incorrect session type (JIRA: PROD-4610).
  • Fixed an issue where a JCE update to print x-request-id causes a backward compatibility error (JIRA: PROD-4612).

2. Security Fixes

  • Fixed a bug where essential validation checks were missing when allocating and processing FifoDescriptor (JIRA: PLAT-896). In a scenario where an attacker has complete control of the address space, an attacker could leverage these missing checks to rewrite the stack pointer outside of the enclave into an attacker-crafted stack. By utilizing ROP the attacker could execute arbitrary code and leak anything accessible by the enclave.

3. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).

4. Installation

To download the DSM SGX (on-prem/Azure) and Software (AWS/Azure/VMWare) packages, click here.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful