Skip to main content
Version: 2.14.0

Release Notes

What's Changed in Version 2.14.0

  • Enhanced Learning and Enforcement Mode UI Messaging: A pop-up message now appears when learning mode is enabled while enforcement mode is active, or when switching from monitor mode (with learning enabled) to enforcement mode. The message explains how the monitor mode list is used as a filter and warns that events not matching the monitor list will still be subject to enforcement and lockout thresholds.

  • Default Replication Schedule Changed to 15 Minutes: The default replication schedule has been updated from every 5 minutes to every 15 minutes. Custom schedule settings are not affected by this change.

  • SupernaOne Support Removed: SupernaOne support has been fully removed in this release following the shutdown of the backend server. Any related client files in the data folder have no impact and can be safely ignored.

  • Configuration Replication ID Renamed to ConfigReplication: The ID name for the configuration replication section in Eyeglass CLI Commands has been renamed to ConfigReplication.

What's Fixed in Version 2.14.0

  • CIDR Notation Support: Ransomware Defender now locks out NFS exports using CIDR notation. If the ransomware event's client IP falls within an export's CIDR range during NFS lockout, the IP is added as read-only to the export, blocking further malicious access.

  • Access Zone Failover Logging: Failing over multiple Access Zones at once now produces a separate log file for each Access Zone, rather than combining all output into one file.

  • Export Replication Improvements: When client IPs on an NFS export change on the source cluster, configuration replication now updates the corresponding export on the target cluster directly, instead of deleting and recreating it. If multiple exports use the same path and zone, replication behavior remains as before for those exports.

  • "When-Snapshot-Occurs" Schedule for SyncIQ Policies: SyncIQ policies with a "when-snapshot-occurs" schedule no longer revert to a manual schedule on failover when the source and target clusters run different versions. The "when-snapshot-occurs" schedule is now maintained correctly on failover.

  • Cyber Recovery Snapshot Selection: When selecting snapshots in Cyber Recovery Manager, snapshots created by SyncIQ for replication are now excluded from the list.

  • Stale Mount Recovery: The mount health check script in ECA has been updated to improve recovery in case of stale mounts. If a stale mount is detected, the system unmounts the mount, restarts autofs, restarts Docker, and ensures that all containers are healthy. If the containers are not healthy, the cluster is restarted. If the restart does not resolve the issue, an alarm is raised.

  • Kafka Monitoring: If Kafka lag increases excessively and the system appears to have stopped reading from the Kafka topic, Fastanalysis automatically restarts to restore event processing. This update ensures the restart occurs only when necessary, preventing unnecessary restarts during periods of low or no activity.

  • ECS Airgap False Alarm: ECS Airgap no longer raises a false alarm indicating that a job did not start when the job did in fact start on time.

  • Autocomplete Fields Removed: Autocomplete is now disabled on all username and password fields in the UI, reducing potential security exposure.

  • HBase Memory Increase: HBase memory allocation has increased to prevent out-of-memory exceptions and errors when retrieving finished reports on environments with large audit datasets.

  • ECA Connection Error False Alarm: During lighttpd log rotation, ECA no longer raises a major connection failure alarm. The alarm was a false positive caused by a brief, expected interruption in the ECA-to-Eyeglass connection during log rotation.

  • ECS Airgap DB Table: The clonejob command now supports specifying a custom database table name for cloned ecssync jobs:

    ecactl ecssync clonejob --job orig_job --newname new_job_name [--dbtable newtablename]

    Behavior:

    • --dbtable specified: Cloned job uses the specified table name, which persists after archival.
    • --dbtable not specified:
      • Auto-generates a table name.
      • Inherits table persistence behavior from the original job (removes table after archival if original has no table; persists otherwise).

    You can view the full XML job configuration, which includes the database table name, using a new command:

    ecactl ecssync showjobconfig --job jobname

  • Seamless Failover: Seamless failover now removes, then re-adds, pool interfaces after policies fail over. To revert to the previous method of seamless failover — which used netstat to find connected clients and then disconnect each client using the cluster REST API — set the seamless_failover_re-add_interfaces tag in system.xml to false.

  • Check Connected Clients Button Deprecation: The Connected Clients check for Access Zones and Pool Readiness has been removed from the DR Dashboard.

  • Igls-original SPN Creation: The "igls-original" SPNs were not being re-created when they previously existed on the source cluster, such as during a re-failover scenario. This case is now handled correctly.

  • ECA Memory Settings Persistence: During cluster startup, ECA may recommend memory setting changes based on its analysis. Your choice to accept or decline these changes is now remembered for future cluster startups.

Security Fixes

The following CVE and security vulnerabilities are resolved in this release:

  • Updated JavaScript libraries to address outdated dependencies
  • Resolved Apache Log4j CVE-2025-68161 socket appender TLS hostname verification vulnerability
  • Resolved TLS/SSL server use of commonly used prime numbers

Known Issues

The following known issues have been identified in version 2.14.0.

  • AirGap Log Folder Not Created in Eyeglass: On AirGap ECSSync deployments, the airgap log folder is not created automatically in Eyeglass. This prevents Vault Agent logs from being uploaded. To work around this issue, manually create the airgap log folder.

  • Nutanix and Hyper-V Setup Commands Incomplete After Network Setup: Running spy-hypervisor-setup on Nutanix or Hyper-V deployments exits after the network setup step without running the remaining setup steps, including SSL key pair generation and service startup. To work around this issue, run the following commands manually:

    For Eyeglass:

    spy-hypervisor-setup
    igls-setup-securedir
    systemctl enable --now lighttpd.service sca

    For ECA, set up all worker nodes first, then the master node:

    • On each worker node, run spy-hypervisor-setup as root, then run /opt/superna/bin/ovf set-value -f vm.is_master='N'.
    • On the master node, run spy-hypervisor-setup as root, then run /opt/superna/bin/ovf set-value -f vm.is_master='y' vm.clustername=<cluster_name> cluster.ips='<worker node ip 1> <worker node ip 2>'.
    • Change to the ecaadmin user and run eca-load-env; eca-script add-node-singles <worker node ip 1> <worker node ip 2>.

  • ecactl kafka topics Help and Describe Commands Fail: Running ecactl kafka topics --help or ecactl kafka topics --describe fails with a port binding error.

  • ecactl kafka topics Commands Fail with JMX Port Error: Running ecactl kafka topics --help, ecactl kafka topics --describe, or any ecactl kafka topics subcommand fails with a JMX connector error: Port already in use: 9999. This issue affects ecactl kafka topics CLI commands only. All other service functionality is not affected.

    Workaround: Use the following commands in place of ecactl kafka topics:

    ecactl containers exec kafka bash -c 'unset JMX_PORT && bin/kafka-topics.sh --bootstrap-server kafka:9092 --help'
    ecactl containers exec kafka bash -c 'unset JMX_PORT && bin/kafka-topics.sh --bootstrap-server kafka:9092 --describe'

Known Vulnerabilities

The following known vulnerabilities have been identified in version 2.14.0.

  • Apache Spark (3.5.8) Ships with Older Version of Log4j: Apache Spark 3.5.8 bundles an older version of Log4j that may be missing recent security patches. A Spark upgrade is planned once a release with a compatible, patched Log4j version is available.

  • D3 Library No Longer Maintained: The D3 visualization library used in the product is no longer maintained by its original developers. This will be resolved as part of the new UI implementation, which will replace D3 with an actively maintained alternative.

  • Old React Version 18.3.1: The Platform UI uses React 18.3.1, which is no longer supported by the React team. This may result in missing security patches and compatibility issues with modern browsers. An upgrade is planned as part of the Platform UI modernization effort.

  • Sensitive Cookie Without "HttpOnly" Flag: Certain application cookies are missing the HttpOnly flag, making them accessible to client-side JavaScript. This will be addressed in a future release as part of a session management refactor.

Upgrade Information

For questions about upgrading to version 2.14.0, contact Superna Support.