The NetWitness 12.4.2.0 Release Notes describe several defects, critical security patches for vulnerabilities reported, upgrade paths, fixed issues, known issues, build numbers, and self-help resources.
Fixes and Security Patches
The following sections are a complete list and description of fixes and security patches:
To locate the documents that are referred to in this section, see https://community.netwitness.com/t5/netwitness-platform-online/netwitness-platform-all-documents/ta-p/676246.
The Product Documentation section has links to the documentation for this release.
Platform
-
AlmaLinux OS Upgrade: When you upgrade to the NetWitness 12.4.2 version, the system will be automatically migrated to AlmaLinux 8.10 version. The NetWitness Platform 12.4 upgrade process is an automatic in place upgrade of both the operating system and NetWitness software. You do not have to follow any specific procedure for upgrading the operating system to AlmaLinux 8.10.
-
HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to communicate only via HTTPS. The remote HTTPS server does not enforce HSTS in the NetWitness user interface, and vulnerability scanners have flagged this on a few ports. The absence of HSTS makes it vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue is now resolved in the 12.4.2 release.
NetWitness User Interface
-
The event time of Critical and High Alerts displayed on the Host Details view is incorrect. Also, an error message "Unable to fetch events, server may be down or inaccessible" is displayed. As a result, the High alerts are not rendered in the NetWitness UI. This issue is now resolved in the 12.4.2 release.
-
Unable to log in using AD accounts (Applies for PAM and Netwitness users) after upgrading to 12.4 when the user has more than one role, and the default landing page is not springboard. This issue is now resolved in the 12.4.2 release.
Event Source Management (ESM)
The Event Source Management server allows manual mapped parsers along with other parsers, which creates inconsistencies in parsing the logs. This issue is now resolved in the 12.4.2 release.
System Management Service (SMS)
-
The total number of events on the Event Sources tab and Investigate page do not match. Some of the events are missing in the Event Sources list. This issue is now resolved in the 12.4.2 release.
-
ESM alarms from log sources are not received after upgrading to 12.3.1. This issue is now resolved in the 12.4.2 release.
-
Even after deleting events from Event Sources, some events appear again in the Event Sources tab. This issue is now resolved in the 12.4.2 release.
-
Importing the attributes from the CMDB to the event source on ESM causes the ESM database to get corrupted. This issue is now resolved in the 12.4.2 release.
Legacy Web Server
No results appear when viewing the Investigate page and attempting a Context Lookup for a value. Context Lookup issue is detected only on the Investigate Navigate and Legacy Events page. This issue is now resolved in the 12.4.2 release.
This issue is not observed on the Investigate > Events page.
Security Updates
Addresses the latest security vulnerabilities reported against various libraries the NetWitness Platform uses, including two critical (CVE-2023-6816, CVE-2016-1000027), 36 major, 97 Moderate, and 16 minor vulnerabilities.
It is crucial to adhere to security best practices by avoiding the deployment of an Admin server node on a public IP address. This precaution is essential to mitigate the risk of potential directory traversal attacks, particularly through vulnerable endpoints such as /nwrpmrepo and /service-mappings.json files. These files contain sensitive information including private IPs, RPMs, and other executables, which must remain strictly restricted from exposure to the internet. Implementing this safeguard helps prevent unauthorized access to internal NetWitness environments.
For more information on Security Fixes, see https://community.netwitness.com/t5/netwitness-platform-advisories/ct-p/netwitness-advisories#security.
Upgrade Paths
The following upgrade paths are supported for NetWitness 12.4.2.0
-
NetWitness 12.4.1.0 to 12.4.2.0
-
NetWitness 12.4.0.0 to 12.4.2.0
-
NetWitness 12.3.1.0 to 12.4.2.0
-
NetWitness 12.3.0.0 to 12.4.2.0
-
NetWitness 12.2.0.1 to 12.4.2.0
-
NetWitness 12.2.0.0 to 12.4.2.0
For more information on upgrading to 12.4.2.0, see Upgrade Guide for NetWitness 12.4.2.0
IMPORTANT: If you want to upgrade from 11.7.x or 11.7.x.x versions to 12.4.2.0 version, you must first upgrade to 12.2.0.0 or 12.3.0.0 version before upgrading to 12.4.2.
IMPORTANT: The Warehouse connector uses a lockbox to store credentials securely for data integration sources and destinations. However, users upgrading from earlier versions to the 12.4 version cannot start the configured streams without migrating their existing credentials in the new lockbox. As a result, users must manually create a new lockbox key and then refresh the password for their sources and destinations configured in Warehouse Connector, wherever applicable. For detailed instructions on creating the new lockbox key, refer to the Warehouse Connector section under the Post Upgrade Tasks in the Upgrade Guide for NetWitness 12.4.2.0.
Product Version Life Cycle for NetWitness Platform
See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).