RSS

Serverless Agent Release Notes

For Installation and Upgrade steps, see AWS Fargate Serverless Agents.

4.2.1 Sep 7, 2023

Defect Fixes

Ensure Workload Instrumentation Handles Signals Consistently

Esure the stack pointer always points to a valid stack area, as required by signal handlers.

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2023-30079
  • CVE-2023-22652
  • CVE-2023-28321
  • CVE-2023-28484
  • CVE-2023-29469
  • CVE-2023-34969
  • CVE-2023-28322

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-28321
  • CVE-2023-28484
  • CVE-2023-29469
  • CVE-2023-28322

4.2.0 Aug 1, 2023

Defect Fixes

Ensure Graceful Termination of the Instrumented Workload

The runtime instrumentation ensures the graceful termination of the instrumented workload when the container receives a termination signal (SIGTERM).

Workload Agent Instability

The workload agent no longer fails to handle the syscall bpf(2).

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2022-23990
  • CVE-2023-1667
  • CVE-2023-2253
  • CVE-2023-2283
  • CVE-2023-26604

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2023-0361
  • CVE-2023-1667
  • CVE-2023-2253
  • CVE-2023-2283
  • CVE-2023-26604
  • CVE-2023-27535

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2018-20839
  • CVE-2019-12904
  • CVE-2019-17543
  • CVE-2020-17049
  • CVE-2020-24736
  • CVE-2021-39537
  • CVE-2021-42694
  • CVE-2022-23990
  • CVE-2023-1667
  • CVE-2023-2283
  • CVE-2023-24329
  • CVE-2023-26604
  • CVE-2023-34969

4.1.2 Jun 1, 2023

Defect Fixes

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2023-27535
  • CVE-2023-24329
  • CVE-2022-43552
  • CVE-2022-35252
  • CVE-2019-20916

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-27535
  • CVE-2022-43552
  • CVE-2022-35252

Workload Agent Instability

The workload agent no longer fails to handle the capset syscall.

Orchestrator Agent Secure Features

The orchestrator agent no longer fails to start when the collector enables falcobaseline.

4.1.1 May 15, 2023

Defect Fixes

Vulnerabilities

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2023-28840
  • CVE-2023-28841
  • CVE-2023-28842

4.1.0 May 2, 2023

Cross-Compatibility

The orchestrator agent 4.1.0 is compatible with the workload agent 4.0.0 and vice versa.

New Features

Disable AWS ContainerInsights

The CloudFormation templates orchestrator-agent.yaml and serverless-instrumentation.yaml support disabling Container Insights.

Defect Fixes

Captures Fixed

Captures no longer fail to start and complete.

Kilt Recipe/Definition Customization

The Kilt Recipe/Definition in the instrumentation.yaml can now be customized.

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2022-41723
  • CVE-2023-0286

Fixed the following vulnerabilities with the serverless patcher:

  • CVE-2023-0286

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2023-24329
  • CVE-2023-0286

4.0.0 February 10, 2023

End of Life

The local installer used to deploy the instrumentation stack is no longer supported.

Deprecation Notice

The CloudFormation template serverless-instrumentation.yaml has been deprecated.

New Features

Serverless Patcher

The Serverless Agent 4.0.0 provides serverless-patcher, a new containerized template patcher that can run locally and be integrated into CI/CD pipelines.

CloudFormation Template instrumentation.yaml

The Serverless Agent 4.0.0 provides instrumentation.yaml, a new CloudFormation template to deploy the automation to instrument (that is to patch) templates on Cloud.

SecretsManager Support for the Orchestrator Agent

Secrets like the Access Key and the Proxy Password can be now automatically fetched and provided to the orchestrator agent at deployment time.

Custom CA Certificates Support for the Orchestrator Agent

The orchestrator agent supports the uploading of custom CA certificates. That allows the SSL certificate verification of OnPrem backends and proxies.

Workload Agent Logs Fine-Tuning

Logs can be tuned and controlled at the fine-grained component level. This can avoid excessive logging from certain components, or enable extra logging from specific components for troubleshooting.

Defect Fixes

Runtime Instrumentation Exits

The runtime instrumentation exits when the main process exits, thus avoiding waiting other process to finish and keeping the container alive.

Renamed Parameter in CloudFormation Template orchestrator-agent.yaml

The Gateway parameter has been renamed to NetworkType in the CloudFormation template orchestrator-agent.yaml.

Exact Image Tags

The CloudFormation stacks uses exact tags now, instead of latest.

Redundant Wildcard Permissions

Redundant wildcard permissions have been removed from the TaskRole of the orchestrator-agent.

SIGINT/SIGTERM Propagation

The runtime instrumentation propagates SIGINT and SIGTERM signals to the instrumented workload now.

Honor Log Silent Mode in the Workload Agent

The `silent log mode prevents environment variables from being printed now.

List Separator to OptIn/OptOut Containers to be/from being Instrumented

Colons are now required as list separators to OptIn/OptOut containers. Commas are no longer supported.

Example

In the TaskDefinition, Tags can be leveraged to explicitly instrument some containers of the task, or prevent a bunch of them from being instrumented. For example, the following tag prevents myContainer1 and myContainer2 from being instrumented when the template patching runs in OptOut mode (default):

Tags:
  - Name: "kilt-ignore-containers"
    Value: "myContainer1:myContainer2"

Vulnerabilities

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2022-28948
  • CVE-2022-47629
  • CVE-2022-41721

Fixed the following vulnerabilities with the workload agent:

  • CVE-2022-47629

3.0.5 December 07, 2022

Defect Fixes

Fixed the following vulnerabilities with the orchestrator agent:

  • CVE-2014-6407
  • CVE-2014-3499
  • CVE-2014-9356
  • CVE-2014-9357
  • CVE-2015-3627
  • CVE-2022-32149
  • CVE-2022-42898

Fixed the following vulnerabilities with the workload agent:

  • CVE-2021-42836
  • CVE-2021-42248

Fixed the following vulnerabilities with the serverless instrumentation:

  • CVE-2022-42898

3.0.4 November 17, 2022

Defect Fixes

Tag Value Reference Failure Fixed

The Instrumentation Lambda in the CloudFormation stack no longer fails when the workload to be instrumented contains references for tags’ values.

Broad Stack Permissions Reduced

Permissions were reduced in the CloudFormation stack.

Proxy Password Obfuscation Failure Fixed

Orchestrator and Instrumentation logs no longer contain plaintext proxy passwords.

3.0.3 September 19, 2022

New Feature

Added task label to the metric serverlessdragent.workload_agent.count to enable grouping multiple containers in a single task.

3.0.2 September 02, 2022

Defect Fixes

Fixed Preventing Workload Starting if no Policies in Place

To avoid workload starvation, the instrumentation can now start the workload if security policies are not in place.

The workload starting policy can be easily configured, see Configure workload starting policy.

Fixed Workload-starvation-detection Watchdog

Instrumentation watchdog no longer needs to be configured via the watchdog.sinsp_worker_timeout_s parameter.

Fixed /proc Scan Failure

Instrumentation /proc scan no longer fails when the SSM Agent runs as root and the instrumented task runs as non-root user.

New Instrumentation Logging Level Parameter

The instrumentation logging level can now be easily configured via a new parameter exposed in the Instrumentation stack.

3.0.1 June 30, 2022

Defect Fixes

Log Levels Updated

The instrumentation logger for the Fargate Serverless Agent can now be configured to the following log levels:

  • silent
  • error
  • warning
  • info
  • debug
  • trace

See also: Manage Serverless Agent Logs

3.0.0 June 17, 2022

Defect Fixes

Fixed DEBUG Logging Error

The instrumented task should no longer be blocked from starting when using DEBUG logging with log-forwarding enabled, and better error messages have been added for failures when log forwarding.

Fixed Termination Error

Instrumentation tasks now terminate correctly on fatal errors and trigger the ECS restart policy.

Cleaned Up Serverless Agent Metadata

Redundancies in the serverless agent metadata (labels and tags) were corrected:

  • AWS-related metadata are grouped below aws.* tags
  • Container-related metadata are grouped below container.* tags
  • Custom tags are grouped below agent.* tags

New Features

New Container-Based Installer

The Serverless Agent 3.0.0 provides a new container-based installer to simplify the deployment of the instrumentation & orchestration stacks. (Serverless Agent 3.0.0 supports the existing command-line-based installer as well.) See also: AWS Fargate Serverless Agents.

Instrumentation Logs Format

The Serverless Agent 3.0.0 supports both the json and text format for the forwarded instrumentation logs. See also Manage Serverless Agent Logs.

2.3.0 March 15, 2022

Defect Fixes

Container Metadata Now Automatically Provided to Avoid Errors

The following metadata values are now automatically passed by serverless agents:

- container.image.repo*
- container.image.tag**
- container.image.digest**
- container.image.id*

*value is always provided in same way **value depends on how the image is referred to when deploying the instrumented container, i.e. repo:tag vs repo@digest.

Example:

:latest When specifying an image such as falcosecurity/event-generator:latest the metadata configuration =:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = latest
- container.image.digest = null
- container.image.id = sha256:aaabbbcccddd

:named image When specifying an image such asfalcosecurity/event-generator@sha256:aaabbbcccddd the metadata configuration =:

- container.image.repo = falcosecurity/event-generator
- container.image.tag = null
- container.image.digest = sha256:aaabbbcccddd
- container.image.id = sha256:aaabbbcccddd

Fixed Display Problem in Insights Composite View for Fargate Events

Secure events from the Fargate serverless agent are now correctly labeled with Account ID and Region, allowiing them be grouped correctly in the Insights Composite view.

Fixed Occasional Problem with Starting Instrumented Tasks

Added retry and fallback logic to avoid restarts when a log-forwarding endpoint isn’t present.

Manual Instrumentation of Workload Agents

Improved documentation for manual instrumentation of workload agents, including handling logs.

Topics in This Section
2021 Archive

2021 Archive of Sysdig Serverless Agent release notes.