LoadMaster 7.2.44 Release Notes
Refer to the sections below for details about firmware version 7.2.44. This was released on 31st October 2018.
7.2.44 - New Features
The following new features were added to the 7.2.44 release:
- Beta Feature: Additional logging capabilities that enable debug and client trace logging on a per-Virtual Service (VS) level. Because this is a beta feature, only Web User Interface (WUI) configuration setting is supported, no Application Program Interface (API) functionality has been implemented.
- Connection Analytics Metrics have been added that provide request/response times and Round-Trip Times (RTT) between client to LoadMaster and LoadMaster to Real Server.
The RTT and request/response metrics between client and LoadMaster are displayed in Statistics > Real Time Statistics under the Virtual Services option when you click the Virtual IP Address.
The RTT and request/response metrics between LoadMaster and Real Server are displayed in Statistics > Real Time Statistics under the Real Servers option when you click the Real Server IP Address. - A new Virtual LoadMaster Product (VLM-3000) is now available for all KEMP Supported Subscription models.
- Published a Dell EMC ECS application configuration template.
7.2.44 - Feature Enhancements
- The LoadMaster Operating System (LMOS) Linux kernel was upgraded from linux-4.9.58 to linux-4.9.124 to provide security and stability improvements.
- The visibility of guidance text on the initial and subsequent LoadMaster login pages on how to correctly activate Metered Enterprise License Agreement (MELA) LoadMasters using KEMP 360 Central is now configurable on the LoadMaster KEMP 360 Central Activation Settings WUI page by selecting the option Hide Activation Settings Message. Only the admin user can change this setting.
- SNMP can now be used to retrieve SSL certificate information. Created a new certs MIB module (OID: 1.3.6.1.4.1.12196.14.1) that displays the SSL certificate information for all installed SSL certificates on the LoadMaster. There is a limit of a maximum of 256 SSL Certs that can be displayed. The following information is contained in the new MIB module:
- certIdx - Unique Certificate Id
- certFileName - Certificate file name
- certSubjectName - Certificate name
- certSerialNumber - Certificate Serial Number
- certStartDate - Certificate Start Date
- certEndDate - Certificate End Date
- certIssuer - Certificate Issuer
- SNMP can now be used to retrieve disk usage information. Added the dskEntry information to the UCD-SNMP-MIB Module (OID: 1.3.6.1.4.1.2021.9) to provide LoadMaster disk partition information related to the /var/log and /var/log/userlog partitions.
- An Edge Security Pack (ESP) enabled VS that uses SAML (Security Assertion Markup Language) as the Client Authentication Mode now has an option to send an Additional Authentication Header. This header is added to the HTTP request from the LoadMaster to the Real Server (RS) and its value is set to the user ID for the authenticated session.
- The KEMP ID user registration link on the LoadMaster homepage of an unlicensed LoadMaster has been updated to https://kemptechnologies.com/kemp-id-registration/.
- The Top utility on the LoadMaster has been enhanced to provide more detailed configuration error messages and limits have been set on the configuration values to allow easier setup.
7.2.44 - Issues Resolved
PD-11859 |
Addressed a further critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management that could, in certain circumstances, allow an unauthorized, remote attacker to bypass security protections, and gain access to sensitive system data, thereby compromising the system. This vulnerability was partially addressed in 7.2.42.0. The expanded scope of this vulnerability covers exploitation through the use of insecure Web User Interface (WUI) endpoints associated with historical graphs and licensing. These vulnerabilities have been addressed in this release. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-10421 |
Corrected some configuration issues with syslog server setting using the API and added a new API parameter called syslognone. |
PD-10435 |
Previously, under certain specific conditions, the GEO application logs could fill the allocated partition, which caused the unit to not log any further messages. Now, GEO application logging has been improved. |
PD-10598 |
Previously, the IdP Certificate Match parameter was missing from the Set-SAMLSPEntity PowerShell command. Now, a new parameter called idp_match_cert has been added to the Set-SAMLSPEntity PowerShell command. |
PD-10783 |
Corrected an issue where the LoadMaster WUI reported the incorrect value for available system memory. |
PD-10874 |
The issue that prevented the restoring of certificates if the password includes the percentage (%) or ampersand (&) characters has been resolved. |
PD-10956 |
The issue where Single Sign On (SSO) fails in a cluster configuration of three or more LoadMasters with ESP configured has been resolved. |
PD-10961 |
Previously, LoadMasters in an Azure environment were not contacting the KEMP licensing server during a reboot. Now, this issue has been resolved. |
PD-11354 |
Previously, with ESP configured, the time displayed on the LoadMaster WUI for a user in a blocked state was in the incorrect time zone. Now, the correct time zone is displayed which is the time zone set for the LoadMaster. |
PD-11413 |
Previously, if ESP was enabled and a VS was configured with the Client Authentication Mode set to Client Certificate and Server Authentication Mode set to Kerberos Constrained Delegation (KCD), a user with a certificate in a valid permitted group was unable to log in to the VS. |
PD-11436 |
Previously, if a LoadMaster was configured in High Availability (HA) mode, routing issues existed when adding an IPv6 alternative address to an IPv4 interface. |
PD-11472 |
Previously, if ESP was enabled and a VS was configured with the Client Authentication Mode set to Client Certificate, and the Use for Session Timeout field was set to max duration in the Manage SSO domain configuration, the user session time expiry period increased incorrectly when the browser was refreshed, or when traffic was passed through the VS. Now, with the above configuration, the user session expiry time stays set to the max duration configured and does not change when the browser is refreshed, or there is traffic activity on the VS. |
PD-11499 |
Previously, if ESP was enabled and dual factor authentication was configured, the incorrect image set was presented after a user logged out. |
PD-11503 |
Previously, in GEO, an incorrect message (GEO ACL Automatic Update file not found) was reported in the logs, even when Enable Automated GEO IP Blacklist data Updates was disabled. |
PD-11506 |
Previously, in an ESP Virtual Service configuration with the Server Authentication Mode set to KCD, some Layer 7 connections were closed and reopened, but the memory for the original connection was not freed up correctly. This causes memory corruption under high load which introduces instability in the LoadMaster. Now, with the above configuration, the memory is freed up correctly. Therefore, no memory corruption occurs and the LoadMaster operates as expected under high load. |
PD-11577 |
Previously, a user with the Virtual Services permission could not assign HTTP selection, header modification, or response body modification rules to a VS using the LoadMaster WUI. Now, a user with just the Virtual Services permission can assign these rules to a VS using the WUI. |
PD-11591 |
Instability within the LoadMaster handling a high volume of API calls has been resolved. |
PD-11607 |
Previously, when the Online Certificate Status Protocol (OCSP) server address was changed on the LoadMaster, the logs reported that the change was made but the change did not take effect. Now, when the OCSP server address is changed, the changes take effect immediately. |
PD-11613 |
Previously, a user with just the GEO Control permission was not permitted to enable the GSLB functionality on the LoadMaster. |
PD-11636 |
Previously, on a Federal Information Processing Standards (FIPS) enabled hardware LoadMaster during creation of a Virtual Service, this log output appeared on the LoadMaster WUI: /tmp/cert.list: No such file or directory. Now, this output no longer appears on the LoadMaster WUI. |
PD-11662 |
Previously, the ps command output in the LoadMaster backup file was not correctly saved. |
PD-11670 |
Previously, when the LoadMaster was configured in cluster mode, on the WUI cluster status page - a cluster member that was actually down was displayed as Disabled. Now, the note status is displayed correctly for all statuses. |
PD-11698 |
Previously, with ESP enabled and a VS configured with the Client Authentication Mode set to Client Certificate and the Server Authentication Mode set to KCD, an issue occurred which resulted in the VS dropping all connections. Now, the issue has been resolved and the above VS configuration works successfully. |
PD-11711 |
Fixed an issue where the GET serialnumber API response contained an extra white space after the serial number. |
PD-11715 |
Previously, during periods of very high load and major Real Server instability, a kernel panic could be triggered due to incorrect message handling within Layer 7. |
PD-11717 |
Previously, issues have been seen where incorrect user information has been retrieved from an LDAP endpoint when default and alternative SSO domains have been configured on a Virtual Service with ESP configured. |
PD-11726 |
Previously, SAML response processing did not take multiple key value pairs into account correctly when attempting to decode the HTTP POST data. Now, the HTTP POST data is processed to detect all key value pairs and will selectively process the SAML response data only. |
PD-11731 |
Resolved an issue that caused connections to drop when using SAML and KCD. |
PD-11732 |
Resolved an issue with client certificate base name parsing. |
PD-11742 |
Previously, when a client connects to Outlook Web App (OWA) with SAML and the user session expires, if the browser page was refreshed it became unresponsive and did not redirect them to the OWA login page. |
PD-11744 |
Resolved an issue where POST requests with Firefox browsers for HTTP2-enabled Virtual Services did not work. |
PD-11778 |
Resolved an issue where configuration changes made to GEO FQDN site mapping were not replicated to the GEO partner. |
PD-11802 |
An issue where statistics did not display Bits/Bytes data for a Layer 7 UDP-configured Virtual Service has been resolved. |
PD-11825 |
Previously, with ESP enabled and Dual Factor Authentication configured with RADIUS and LDAP, in certain cases an invalid remote user was able to log in after a previous valid user had successfully logged in. |
PD-11880 |
Resolved an issue where a local user was unable to access the LoadMaster WUI when Use ONLY if other AAA services fail was not selected. |
PD-11893 |
Fixed an issue where WAF Audit Logs in the Extended Log Files section of the LoadMaster WUI were not being displayed correctly. |
7.2.44 - Known Issues
PD-12058 |
An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-12034 |
High CPU and memory utilization may still be experienced in some cases when the Client Authentication Mode is set to SAML and the Server Authentication Mode is set to KCD. |
PD-12000 |
There is no API parameter to set the ESP SSO option called Use LDAP Endpoint for Healthcheck. |
PD-11939 |
The API parameter for setting the Allowed Virtual Directories in ESP Options for a Virtual Service only allows 127 characters but the LoadMaster WUI allows 254 characters. |
PD-11861 |
IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11858 |
There are differences between what the API reports in relation to Real Server and Virtual Service status compared to what the LoadMaster WUI reports. |
PD-11834 |
Some issues exist when using NTP with a LoadMaster HA configuration. |
PD-11823 |
There are issues when using an ESP-enabled Virtual Service that is configured to use nested groups with steering groups. |
PD-11767 |
There are issues logging in with SSO in an ESP-enabled Virtual Service that is configured to use Form Based as the Server Authentication Mode. |
PD-11760 |
In an AWS environment, if the default gateway of the LoadMaster is set on any interface other than eth0 following a LoadMaster reboot, the default gateway reverts to eth0. |
PD-11621 |
In a GEO configuration with Stickiness set in the Miscellaneous Params WUI screen, a requested Fully Qualified Domain Name (FQDN) is not returned correctly if the Fail Over location is set to Everywhere. |
PD-11520 |
If a LoadMaster license is downgraded to remove ESP or the Web Application Firewall (WAF), the Virtual Service still displays that these features are configured in the View/Modify Services WUI screen, even though the functionality was removed. |
PD-11351 |
An out-of-context memory condition exists when memory that was previously allocated to a connection between the Layer 7 engine and SSL handling engine is being utilized by another process/task. In this scenario, the memory pointer is present, but it is not what the system is expecting, and this condition results in a kernel panic. |
PD-11253 |
There is no RESTful or PowerShell API parameter to add a Real Server to all SubVSs. |
PD-11109 |
The RESTful API does not respond with the correct warning message if the user is unable to enable WAF. |
PD-11044 |
A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-11040 |
Under certain conditions, the ESP logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot. |
PD-11024 |
The WUI is not accessible on NIC-1 from a non-local subnet. |
PD-10970 |
If a template is exported from an older version of the LoadMaster and it contains an improper string, a newer LoadMaster cannot import it. |
PD-10917 |
An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 |
Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10627 |
There are issues when replacing clustered nodes. |
PD-10586 |
If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10572 |
The extended log view fails when the selected range is in different years. |
PD-10490 |
The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 |
A SNORT rule is triggering a false positive in certain scenarios. |
PD-10466 |
The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
PD-10363 |
The PowerShell API is missing the ServerFbaPath and ServerFBAPPost parameters. |
PD-10193 |
A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available. |
PD-10159 |
When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10155 |
An issue with configuration corruption is causing some GEO features to not function. |
PD-10136 |
In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-10129 |
There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-9947 |
Virtual Services/Real Servers can report as "up" in the API, even if the SubVSs are disabled. |
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
PD-9816 |
There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
PD-9553 |
There is no API command to disable secure NTP mode. |
PD-9507 |
Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-8853 |
GEO Location Based failover does not work as expected. |
PD-8725 |
GEO Proximity and Location Based scheduling do not work with IPv6 source addresses. |
PD-8697 |
Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM). |
PD-7156 |
The VSIndex parameter is missing in some API commands. |