Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.44 Release Notes

Refer to the sections below for details about firmware version 7.2.44. This was released on 31st October 2018.

7.2.44 - New Features

The following new features were added to the 7.2.44 release:

  • Beta Feature: Additional logging capabilities that enable debug and client trace logging on a per-Virtual Service (VS) level. Because this is a beta feature, only Web User Interface (WUI) configuration setting is supported, no Application Program Interface (API) functionality has been implemented.
  • Connection Analytics Metrics have been added that provide request/response times and Round-Trip Times (RTT) between client to LoadMaster and LoadMaster to Real Server.

    The RTT and request/response metrics between client and LoadMaster are displayed in Statistics > Real Time Statistics under the Virtual Services option when you click the Virtual IP Address.

    The RTT and request/response metrics between LoadMaster and Real Server are displayed in Statistics > Real Time Statistics under the Real Servers option when you click the Real Server IP Address.
  • A new Virtual LoadMaster Product (VLM-3000) is now available for all KEMP Supported Subscription models.
  • Published a Dell EMC ECS application configuration template.

7.2.44 - Feature Enhancements

  • The LoadMaster Operating System (LMOS) Linux kernel was upgraded from linux-4.9.58 to linux-4.9.124 to provide security and stability improvements.
  • The visibility of guidance text on the initial and subsequent LoadMaster login pages on how to correctly activate Metered Enterprise License Agreement (MELA) LoadMasters using KEMP 360 Central is now configurable on the LoadMaster KEMP 360 Central Activation Settings WUI page by selecting the option Hide Activation Settings Message. Only the admin user can change this setting.
  • SNMP can now be used to retrieve SSL certificate information. Created a new certs MIB module (OID: 1.3.6.1.4.1.12196.14.1) that displays the SSL certificate information for all installed SSL certificates on the LoadMaster. There is a limit of a maximum of 256 SSL Certs that can be displayed. The following information is contained in the new MIB module:
    • certIdx - Unique Certificate Id
    • certFileName - Certificate file name
    • certSubjectName - Certificate name
    • certSerialNumber - Certificate Serial Number
    • certStartDate - Certificate Start Date
    • certEndDate - Certificate End Date
    • certIssuer - Certificate Issuer
  • SNMP can now be used to retrieve disk usage information. Added the dskEntry information to the UCD-SNMP-MIB Module (OID: 1.3.6.1.4.1.2021.9) to provide LoadMaster disk partition information related to the /var/log and /var/log/userlog partitions.
  • An Edge Security Pack (ESP) enabled VS that uses SAML (Security Assertion Markup Language) as the Client Authentication Mode now has an option to send an Additional Authentication Header. This header is added to the HTTP request from the LoadMaster to the Real Server (RS) and its value is set to the user ID for the authenticated session.
  • The KEMP ID user registration link on the LoadMaster homepage of an unlicensed LoadMaster has been updated to https://kemptechnologies.com/kemp-id-registration/.
  • The Top utility on the LoadMaster has been enhanced to provide more detailed configuration error messages and limits have been set on the configuration values to allow easier setup.

7.2.44 - Issues Resolved

PD-11859

Addressed a further critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management that could, in certain circumstances, allow an unauthorized, remote attacker to bypass security protections, and gain access to sensitive system data, thereby compromising the system. This vulnerability was partially addressed in 7.2.42.0.

The expanded scope of this vulnerability covers exploitation through the use of insecure Web User Interface (WUI) endpoints associated with historical graphs and licensing. These vulnerabilities have been addressed in this release. Further information can be found here: Mitigation For Remote Access Execution Vulnerability.

PD-10421

Corrected some configuration issues with syslog server setting using the API and added a new API parameter called syslognone.

PD-10435

Previously, under certain specific conditions, the GEO application logs could fill the allocated partition, which caused the unit to not log any further messages.

Now, GEO application logging has been improved.

PD-10598

Previously, the IdP Certificate Match parameter was missing from the Set-SAMLSPEntity PowerShell command.

Now, a new parameter called idp_match_cert has been added to the Set-SAMLSPEntity PowerShell command.

PD-10783

 Corrected an issue where the LoadMaster WUI reported the incorrect value for available system memory.

PD-10874

The issue that prevented the restoring of certificates if the password includes the percentage (%) or ampersand (&) characters has been resolved.

PD-10956

The issue where Single Sign On (SSO) fails in a cluster configuration of three or more LoadMasters with ESP configured has been resolved.

PD-10961

Previously, LoadMasters in an Azure environment were not contacting the KEMP licensing server during a reboot. Now, this issue has been resolved.

PD-11354

Previously, with ESP configured, the time displayed on the LoadMaster WUI for a user in a blocked state was in the incorrect time zone.

Now, the correct time zone is displayed which is the time zone set for the LoadMaster.

PD-11413

Previously, if ESP was enabled and a VS was configured with the Client Authentication Mode set to Client Certificate and Server Authentication Mode set to Kerberos Constrained Delegation (KCD), a user with a certificate in a valid permitted group was unable to log in to the VS.

PD-11436

Previously, if a LoadMaster was configured in High Availability (HA) mode, routing issues existed when adding an IPv6 alternative address to an IPv4 interface.

PD-11472

Previously, if ESP was enabled and a VS was configured with the Client Authentication Mode set to Client Certificate, and the Use for Session Timeout field was set to max duration in the Manage SSO domain configuration, the user session time expiry period increased incorrectly when the browser was refreshed, or when traffic was passed through the VS.

Now, with the above configuration, the user session expiry time stays set to the max duration configured and does not change when the browser is refreshed, or there is traffic activity on the VS.

PD-11499

Previously, if ESP was enabled and dual factor authentication was configured, the incorrect image set was presented after a user logged out.

PD-11503

Previously, in GEO, an incorrect message (GEO ACL Automatic Update file not found) was reported in the logs, even when Enable Automated GEO IP Blacklist data Updates was disabled.

PD-11506

Previously, in an ESP Virtual Service configuration with the Server Authentication Mode set to KCD, some Layer 7 connections were closed and reopened, but the memory for the original connection was not freed up correctly. This causes memory corruption under high load which introduces instability in the LoadMaster.

Now, with the above configuration, the memory is freed up correctly. Therefore, no memory corruption occurs and the LoadMaster operates as expected under high load.

PD-11577

Previously, a user with the Virtual Services permission could not assign HTTP selection, header modification, or response body modification rules to a VS using the LoadMaster WUI.

Now, a user with just the Virtual Services permission can assign these rules to a VS using the WUI.

PD-11591

Instability within the LoadMaster handling a high volume of API calls has been resolved.

PD-11607

Previously, when the Online Certificate Status Protocol (OCSP) server address was changed on the LoadMaster, the logs reported that the change was made but the change did not take effect.

Now, when the OCSP server address is changed, the changes take effect immediately.

PD-11613

Previously, a user with just the GEO Control permission was not permitted to enable the GSLB functionality on the LoadMaster.

PD-11636

Previously, on a Federal Information Processing Standards (FIPS) enabled hardware LoadMaster during creation of a Virtual Service, this log output appeared on the LoadMaster WUI: /tmp/cert.list: No such file or directory.

Now, this output no longer appears on the LoadMaster WUI.

PD-11662

Previously, the ps command output in the LoadMaster backup file was not correctly saved.

PD-11670

Previously, when the LoadMaster was configured in cluster mode, on the WUI cluster status page - a cluster member that was actually down was displayed as Disabled.

Now, the note status is displayed correctly for all statuses.

PD-11698

Previously, with ESP enabled and a VS configured with the Client Authentication Mode set to Client Certificate and the Server Authentication Mode set to KCD, an issue occurred which resulted in the VS dropping all connections.

Now, the issue has been resolved and the above VS configuration works successfully.

PD-11711

Fixed an issue where the GET serialnumber API response contained an extra white space after the serial number.

PD-11715

Previously, during periods of very high load and major Real Server instability, a kernel panic could be triggered due to incorrect message handling within Layer 7.

PD-11717

Previously, issues have been seen where incorrect user information has been retrieved from an LDAP endpoint when default and alternative SSO domains have been configured on a Virtual Service with ESP configured.

PD-11726

Previously, SAML response processing did not take multiple key value pairs into account correctly when attempting to decode the HTTP POST data.

Now, the HTTP POST data is processed to detect all key value pairs and will selectively process the SAML response data only.

PD-11731

Resolved an issue that caused connections to drop when using SAML and KCD.

PD-11732

Resolved an issue with client certificate base name parsing.

PD-11742

Previously, when a client connects to Outlook Web App (OWA) with SAML and the user session expires, if the browser page was refreshed it became unresponsive and did not redirect them to the OWA login page.

PD-11744

Resolved an issue where POST requests with Firefox browsers for HTTP2-enabled Virtual Services did not work.

PD-11778

Resolved an issue where configuration changes made to GEO FQDN site mapping were not replicated to the GEO partner.

PD-11802

An issue where statistics did not display Bits/Bytes data for a Layer 7 UDP-configured Virtual Service has been resolved.

PD-11825

Previously, with ESP enabled and Dual Factor Authentication configured with RADIUS and LDAP, in certain cases an invalid remote user was able to log in after a previous valid user had successfully logged in.

PD-11880

Resolved an issue where a local user was unable to access the LoadMaster WUI when Use ONLY if other AAA services fail was not selected.

PD-11893

Fixed an issue where WAF Audit Logs in the Extended Log Files section of the LoadMaster WUI were not being displayed correctly.

 

7.2.44 - Known Issues

PD-12058

An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-12034

High CPU and memory utilization may still be experienced in some cases when the Client Authentication Mode is set to SAML and the Server Authentication Mode is set to KCD.

PD-12000

There is no API parameter to set the ESP SSO option called Use LDAP Endpoint for Healthcheck.

PD-11939

The API parameter for setting the Allowed Virtual Directories in ESP Options for a Virtual Service only allows 127 characters but the LoadMaster WUI allows 254 characters.

PD-11861

IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11858

There are differences between what the API reports in relation to Real Server and Virtual Service status compared to what the LoadMaster WUI reports.

PD-11834

Some issues exist when using NTP with a LoadMaster HA configuration.

PD-11823

There are issues when using an ESP-enabled Virtual Service that is configured to use nested groups with steering groups.

PD-11767

There are issues logging in with SSO in an ESP-enabled Virtual Service that is configured to use Form Based as the Server Authentication Mode.

PD-11760

In an AWS environment, if the default gateway of the LoadMaster is set on any interface other than eth0 following a LoadMaster reboot, the default gateway reverts to eth0.

PD-11621

In a GEO configuration with Stickiness set in the Miscellaneous Params WUI screen, a requested Fully Qualified Domain Name (FQDN) is not returned correctly if the Fail Over location is set to Everywhere.

PD-11520

If a LoadMaster license is downgraded to remove ESP or the Web Application Firewall (WAF), the Virtual Service still displays that these features are configured in the View/Modify Services WUI screen, even though the functionality was removed.

PD-11351

An out-of-context memory condition exists when memory that was previously allocated to a connection between the Layer 7 engine and SSL handling engine is being utilized by another process/task. In this scenario, the memory pointer is present, but it is not what the system is expecting, and this condition results in a kernel panic.

PD-11253

There is no RESTful or PowerShell API parameter to add a Real Server to all SubVSs.

PD-11109

The RESTful API does not respond with the correct warning message if the user is unable to enable WAF.

PD-11044

A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-11040

Under certain conditions, the ESP logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot.

PD-11024

The WUI is not accessible on NIC-1 from a non-local subnet.

PD-10970

If a template is exported from an older version of the LoadMaster and it contains an improper string, a newer LoadMaster cannot import it.

PD-10917

An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10627

There are issues when replacing clustered nodes.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10572

The extended log view fails when the selected range is in different years.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10363

The PowerShell API is missing the ServerFbaPath and ServerFBAPPost parameters.

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10155

An issue with configuration corruption is causing some GEO features to not function.

PD-10136

In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9947

Virtual Services/Real Servers can report as "up" in the API, even if the SubVSs are disabled.

PD-9854

WAF does not support chunked transfer encoding on the POST body.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-9553

There is no API command to disable secure NTP mode.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO Location Based failover does not work as expected.

PD-8725

GEO Proximity and Location Based scheduling do not work with IPv6 source addresses.

PD-8697

Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM).

PD-7156

The VSIndex parameter is missing in some API commands.


Comments