LoadMaster 7.2.40 Release Notes

Refer to the sections below for details about firmware version 7.2.40. This was released on 1st November 2017.

7.2.40 - New Features

The following features were added to the 7.2.40 release:

  • Activation Server Local (ASL) LoadMasters have the ability to download Web Application Firewall (WAF) commercial rules and GEO IP blacklist rules.
  • A LoadMaster Web User Interface (WUI) Help menu option to provide knowledge about External Services provided by KEMP.

7.2.40 - Feature Enhancements

  • The Call Home feature is now an opt-out process during initial activation of a LoadMaster.
  • Added support in the LoadMaster for the following OWASP secure HTTP response headers: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, HSTS Strict-Transport-Security.
  • Added the ability to easily delete a Virtual Service and all its nested SubVSs.
  • Real Server enhancements:
    • Added the ability to select from the available list of Real Servers when configuring a Virtual Service or SubVS.
    • On the Real Servers screen, it is possible to sort the Real Server addresses or the status column by clicking the column label.
    • When adding a Real Server to a SubVS, a check box appears that enables you to assign that Real Server to all other SubVSs of the main Virtual Services.
  • Added the ability to use the DNS name as the Online Certificate Status Protocol (OCSP) server.
  • In SAML authentication, the URL provided in the original request from Layer 7 is preserved. This URL gets precedence over the destination URL from the SAML response.
  • Improvements to using FQDN to designate to a Real Server; there is now a configurable DNS Update Interval. Also, Reload DNS Entries for Real Server Errors can be enabled to allow a reload of DNS entries when health checks have errors and an FQDN is associated with the Real Server IP address.
  • When an OCSP server fails to connect, error logs are printed.

7.2.40 - Issues Resolved

PD-9886

Fixed a security issue with the initial boot password in the Azure Virtual LoadMaster logs.

PD-9838

Fixed a security issue where the full session ID was printed in the logs. Now, only a partial session ID is printed.

PD-9837

Fixed an issue with the WUI admin login in Password or Client certificate mode.

PD-9768

Fixed a security issue when the 'Logon Transcode' option and ESP are enabled.

PD-9892

Fixed an issue preventing SNORT rules from being applied.

PD-9889

Transparency is removed if the connection to the Real Server is part of a HTTP/2 connection.

PD-9972

Edge Security Pack (ESP) group Common Name and Domain Name can be up to 127 characters long.

PD-9898

Fixed an issue with configuration corruption that caused some GEO features to not function.

PD-9865

Fixed issues that prevented automatic update of GEO IP blacklist rules.

PD-9861

An ESP re-authentication is forced when a closed session is reopened after a user terminates without logging out.

PD-9795

Fixed an issue that caused SAML response decoding to fail.

PD-9770

Added more information to the ESP logs.

PD-9761

Made enhancements to support a high number of connections.

PD-9743

Fixed an issue relating to exporting a template for a Virtual Service that has content switching enabled with default rules.

PD-9666

Fixed an issue with underscores in HTTP header name which is not handled by Apache server 2.4.

PD-9633

Fixed an issue when using HTTP/1.1 to enable the port number to be used with Checkhost.

PD-9517

Applied username normalization when permitted groups are configured to permit authentication.

PD-9508

With ESP and SAML, the certificate in the SAML response must match the certificate assigned in the SAML SSO domain. This limits the solution to trusted certificates.

PD-9470

Fixed an issue with LDAP Real Server health checks.

PD-9453

Removed pinging of default gateway and nameserver in Azure because they are not supposed to work.

PD-9359

Fixed an issue causing problems for some users authenticating to ESP.

PD-9159

Fixed an issue causing traffic to the back-end to be blocked in certain scenarios when the Web Application Firewall (WAF) is enabled.

PD-10107

Fixed an issue that caused WAF to be inactive upon first licensing in certain scenarios.

PD-10089

Fixed an issue that caused WAF Process Responses to be inactive in certain situations.

PD-10062

Improved error handling when there is an invalid FQDN in OCSP configuration.

PD-9995

Fixed a client certificate issue preventing users from accessing SharePoint or OWA.

PD-9908

Fixed an issue with ESP steering groups.

PD-9903

Fixed an issue with multiple Network Interface Cards (NICs) on Azure Virtual LoadMasters and private IP addresses.

PD-9869

Fixed an issue in Content Rules that caused a rule to be deleted if a 'white space' was the only thing in the 'replacement text' field.

PD-9867

Fixed an issue preventing the global connection timeout from being honored on Virtual Services.

PD-9857

Fixed a rare situation that caused HTTP/2 to crash when using 'RS drop on fail'.

PD-9845

Improved compatibility for Arabic characters when generating local certificates.

PD-9783

Fixed an issue causing the incorrect IP address to be displayed in the tool-tip text on High Availability (HA) icons.

PD-9758

Fixed an issue preventing customers from editing or accessing Office files in SharePoint.

PD-9747

Fixed an issue preventing HA from working with certificate authentication and KEMP 360.

PD-9604

Fixed an import issue preventing Content Rules from being correctly applied to a SubVS.

PD-9590

Improved the subscription expiry display date to be more accurate.

PD-9657

The LoadMaster handles cipher names with special characters better.

PD-9643

Fixed an issue in Azure to permit mapping of IP addresses and add the ability to change IP addresses if a match is not found.

PD-9560

Improved error handling when clicking the shared IP address in HA mode.

PD-9383

Improved error handling for special characters in passwords when working with KEMP 360.

PD-8227

Fixed an issue preventing the addition of network/addresses in the GEO IP blacklist.

PD-7157

Fixed an issue preventing users from attaching files when using OWA or SharePoint if WAF and Kerberos Constrained Delegation (KCD) are both enabled.

PD-8413

Fixed an issue that caused an error if a wildcard port was in a template.

PD-9489

Fixed an issue with the Application Program Interface (API) command to reset the CPU and network usage.

PD-9963

Fixes made to the PowerShell API wrapper in relation to Activation Server Local (ASL) functionality and its interaction with KEMP 360.

PD-9883

Improved error handling when creating Virtual Services with specific ports using the API.

PD-9836

Improved compatibility in the RESTful API when using a Polish character set in passwords.

PD-9781

Added missing parameters to the New-AdcContentRule and Set-AdcContentRule commands in the PowerShell API.

PD-9779

Made the WUI and RESTful API consistent for the Client Authentication Mode ESP parameter.

PD-9771

Fixed a situation that caused the RESTful API to report the wrong status for disabled/down Virtual Services.

PD-9596

Fixed an issue causing the RESTful API to show an incorrect interface value in the showiface command output.

PD-9360

Fixed an issue that caused a crash when restoring a LoadMaster backup with 'Type' All, Base, Base+VS and Base+Geo using the RESTful API.

PD-9349

Fixed the PowerShell API wrapper command Get-AslLicenseType in relation to new ASL behavior.

PD-7978

Fixed an issue with the PowerShell API command New-TlsHSMClientCertthat caused an error when the LoadBalancer and Credential/SubjectCN parameters were used.

PD-9129

Fixed an issue with the response formatting in the API backup commands.

7.2.40 - Known Issues

PD-10980

A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.

PD-8725

Proximity and Location Based scheduling does not work with IPv6 source addresses.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-10155

Issue with configuration corruption causes some GEO features not to function.

PD-10392

Random reboots can occur on the master unit after upgrading the firmware to 7.2.39 and patching to 7.2.39.1 or 7.2.40.

PD-10141

Service check interval configuration causes dropped connections.

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10126

Issues with cache causes connection problems.

PD-10086

When selecting the 'Use for Default Gateway' option on a new interface, access to the LoadMaster WUI is lost. However, there is still access to the LoadMaster using the local IP address.

PD-10083

There is an issue displaying a large number of Virtual Services/SubVSs when using SNMP.

PD-10080

Failover issues occur with bonded interfaces that are configured to use the default gateway.

PD-10042

WAF statistics do not get reset on Virtual Service deletion.

PD-10040

WAF does not support chunked transfer encoding on the POST body.

PD-10039

The HTTP/2 feature is only supported in the Internet Explorer (IE) browser.

PD-9975

When testing LDAP-based users by using the Test AAA for User on the WUI Authentication and Authorization page, logs were not generated or visible in syslog.

PD-9764

The LoadMaster is unable to set up an IPsec tunnel to Azure classic/Azure Resource Manager (ARM) endpoints.

PD-8697

Some users are having issues detecting the partition when using the Hardware Security Module (HSM).

PD-10188

When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available.

PD-10131

Problems attaching files in SharePoint when using WAF with process response enabled and Kerberos Constrained Delegation (KCD).

PD-10159

When upgrading firmware from 7.1.35.x, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10143

Access is denied when KCD, the WAF Process Responses option and the creditcard_track_pan rule are enabled.

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-10095

When L7 debugging is enabled, Virtual LoadMasters may reboot in certain situations.

PD-7156

The VSIndex parameter is missing in some API commands.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9525

The RESTful API returns the value of the failtime parameter in seconds, but it is set in minutes.

PD-9539

There are issues with the PowerShell New-GeoCluster command in a specific scenario.

PD-9553

There is no API command to disable secure NTP mode.

PD-9570

There is a typo in the removecountry API response error message.

PD-9572

There are discrepancies displaying the location latitude/longitude parameter values for some RESTful API commands.

Was this article helpful?

0 out of 0 found this helpful

Comments