# 2.9.0 release notes
March 21, 2023
NGINX Instance Manager 2.9.0 release notes
## Upgrade Paths {#2-9-0-upgrade-paths}
NGINX Instance Manager 2.9.0 supports upgrades from these previous versions:
- 2.6.0 - 2.8.0
If your NGINX Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version.
## Security updates{#2-9-0-security-updates}
**important:**
For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.
This release includes the following security updates:
- [icon: resolved] **Instance Manager vulnerability CVE-2023-1550**
NGINX Agent inserts sensitive information into a log file ([CVE-2023-1550](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1550)). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.
NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.
This issue has been classified as [CWE-532: Insertion of Sensitive Information into Log File](https://cwe.mitre.org/data/definitions/532.html).
#### Mitigation
- Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the [Configuring the NGINX Agent](/nginx-one-console/agent/configure-instances/configuration-overview/ section of the documentation. If trace-level logging is required, ensure only trusted users have access to the log files.
#### Fixed in
- NGINX Agent 2.23.3
- Instance Manager 2.9.0
For more information, refer to the MyF5 article [K000133135](https://my.f5.com/manage/s/article/K000133135).
## What's new {#2-9-0-whats-new}
This release includes the following updates:
- [icon: feature] **New webpages for viewing Attack Signature and Threat Campaigns**
The Instance Manager web interface now allows you to view Attack Signatures and Threat Campaign packages published to instances and instance groups. You can also publish these packages using the precompiled publication mode.
- [icon: feature] **NGINX Agent supports Rocky Linux 8 and 9**
The NGINX Agent now supports Rocky Linux 8 (x86_64, aarch64) and 9 (x86_64, aarch64). The NGINX Agent supports the same distributions as NGINX Plus. For a list of the supported distributions, refer to the [NGINX Plus Technical Specs](https://docs.nginx.com/nginx/technical-specs/#supported-distributions) guide.
- [icon: feature] **New Events for CUD actions**
Events will be triggered for `CREATE`, `UPDATE`, and `DELETE` actions on Templates, Instances, Certificates, Instance Groups, and Licenses.
- [icon: feature] **The _Certificate and Keys_ webpage has a new look!**
Our new and improved _Certificates and Keys_ webpage makes it easier than ever to efficiently manage your TLS certificates.
- [icon: feature] **Add commit hash details to NGINX configurations for version control**
Use the Instance Manager REST API to add a commit hash to NGINX configurations if you use version control, such as Git.
For more information, see the following topics:
- [Add Hash Versioning to Staged Configs](/nim/nginx-configs/stage-configs.md#hash-versioning-staged-configs)
- [Publish Configs with Hash Versioning to Instances](/nim/nginx-configs/publish-configs.md#publish-configs-instances-hash-versioning)
- [Publish Configs with Hash Versioning to Instance Groups](/nim/nginx-configs/publish-configs.md#publish-configs-instance-groups-hash-versioning)
## Changes in default behavior{#2-9-0-changes-in-behavior}
This release has the following changes in default behavior:
- [icon: feature] **SSL Certificates can be associated with Instance Groups**
When assigning SSL certificates for the NGINX data plane, you have the option of associating them with a single instance or with an instance group. When associated with an instance group, the certificates will be shared across all instances in the group.
- [icon: feature] **⚠ Action required: OIDC configurations for the management plane must be updated after upgrading to Instance Manager 2.9.0**
OIDC configuration files were modified to improve support for automation and integration in CI/CD pipelines. To continue using OIDC after upgrading to Instance Manager 2.9.0, you'll need to update these configuration files.
To take advantage of the expanded functionality for OIDC authentication with NGINX Management Suite, we recommend following these two options:
#### Option 1
1. During the upgrade, type `Y` when prompted to respond `Y or I: install the package mainatiner's version` for each of the following files:
- `/etc/nms/nginx/oidc/openid_configuration.conf`
- `/etc/nms/nginx/oidc/openid_connect.conf`
- `/etc/nms/nginx/oidc/openid_connect.js`
1. After the upgrade finishes, make the following changes to the `/etc/nms/nginx/oidc/openid_configuration.conf` file using the `/etc/nms/oidc/openid_connect.conf.dpkg-old` that was created as a backup:
- Uncomment the appropriate "Enable when using OIDC with" for your IDP (for example, keycloak, azure).
- Update `$oidc_authz_endpoint` value with the corresponding values from `openid_connect.conf.dpkg-old`.
- Update `$oidc_token_endpoint` value with the corresponding values from `openid_connect.conf.dpkg-old`.
- Update `$oidc_jwt_keyfile` value with the corresponding values from `openid_connect.conf.dpkg-old`.
- Update `$oidc_client` and `oidc_client_secret` with corresponding values from `openid_connect.conf.dpkg-old`.
- Review and restore any other customizations from `openid_connect.conf.dpkg-old` beyond those mentioned above.
1. Save the file.
1. Restart NGINX Management Suite:
```shell
sudo systemctl restart nms
```
1. Restart the NGINX web server:
```shell
sudo systemctl restart nginx
```
#### Option 2
1. Before upgrading Instance Manager, edit the following files with your desired OIDC configuration settings:
- `/etc/nginx/conf.d/nms-http.conf`
- `/etc/nms/nginx/oidc/openid_configuration.conf`
- `/etc/nms/nginx/oidc/openid_connect.conf`
- `/etc/nms/nginx/oidc/openid_connect.js`
1. During the upgrade, type `N` when prompted to respond `N or O : keep your currently-installed version`.
1. After the upgrade finishes replace `etc/nms/nginx/oidc/openid_connect.js` with `openid_connect.js.dpkg-dist`.
1. Restart NGINX Management Suite:
```shell
sudo systemctl restart nms
```
1. Restart the NGINX web server:
```shell
sudo systemctl restart nginx
```
## Resolved issues {#2-9-0-resolved-issues}
This release fixes the following issues. Use your browser's search function to find the issue ID in the page.
- [icon: resolved] After upgrading to NGINX Instance Manager 2.1.0, the web interface reports timeouts when NGINX Agent configs are published (32349)
- [icon: resolved] Scan misidentifies some NGINX OSS instances as NGINX Plus (35172)
- [icon: resolved] Scan does not update an unmanaged instance to managed (37544)
- [icon: resolved] "Public Key Not Available" error when upgrading Instance Manager on a Debian-based system (39431)
- [icon: resolved] The Type text on the Instances overview page may be partially covered by the Hostname text (39760)
- [icon: resolved] System reports "Attack Signature does not exist" when publishing default Attack Signature (40020)
- [icon: resolved] App Protect: "Assign Policy and Signature Versions" webpage may not initially display newly added policies (40085)
- [icon: resolved] Precompiled Publication setting is reverted to false after error publishing NGINX App Protect policy (40484)
- [icon: resolved] Upgrading NGINX Management Suite may remove the OIDC configuration for the platform (41328)
## Known issues {#2-9-0-known-issues}
You can find information about known issues in the [Known Issues](/nim/releases/known-issues.md) topic.