Legacy LoadMaster Release Notes
Contents
1 Software Release Notes Introduction
This document provides release notes for legacy LoadMaster firmware versions.
To see release notes for newer firmware versions, go to the LoadMaster Release Notes section of the Kemp Documentation Page.
We recommend you fully back up the LoadMaster configuration before upgrading the software. Instructions for backing up the LoadMaster are described in within the documentation which can be found at https://kemptechnologies.com/documentation.
Installation of this software and reloading of the configuration may take up to five minutes, or possibly more, during which time the LoadMaster being upgraded is unavailable to carry traffic.
1.1 Pre-requisites
The following are recommendations for upgrading the software:
The person undertaking the upgrade should be a network administrator or someone with equivalent knowledge.
In case of issues restoring backup configurations, configuring LoadMaster or other maintenance issues, please refer to the LoadMaster documentation which can be found at https://kemptechnologies.com/documentation.
1.2 Support
If there are problems loading the software release, please contact Kemp support staff and a Kemp support Engineer will get in touch with you promptly: https://kemptechnologies.com/support
2 Compatible Products
|
|
3 Release 7.1.35.5
Refer to the sections below for details about firmware version 7.1.35.5. This was released on 22nd March 2018.
3.1 7.1.35.5 - New Features
The following feature was added to the 7.1.35.5 release:
- Added support for the new LM-X series of LoadMaster hardware.
3.2 7.1.35.5 - Feature Enhancements
- The LTS build is now available in the Azure Marketplace.
- Updated the Copyright Notices on the LoadMaster console and Web User Interface (WUI).
3.3 7.1.35.5 - Issues Resolved
PD-11023 | Previously, a critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Now, this vulnerability has been mitigated against with more stringent security checks. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
3.4 7.1.35.5 - Known Issues
PD-10241 | Unable to patch upgrade using the Application Program Interface (API) to newer versions of the LoadMaster. |
PD-10138 | Only text/XML and application/JSON content types are supported with the Inspect HTML POST Request Content feature. |
PD-10192 | The LoadMaster is unable to set up an IPsec tunnel to Azure classic/Azure Resource Manager (ARM) endpoints. |
PD-10187 | Web Application Firewall (WAF) statistics do not get reset on Virtual Service deletion. |
PD-10184 | An issue exists which prevents some users from accessing some Virtual Services when using WAF. |
PD-10183 | WAF does not block the response, even when the Process Responses option is enabled on the Virtual Service. |
PD-10182 | Enabling WAF on a Virtual Service with no rules applied causes a specific web feature to fail. |
PD-10181 | When an HTTP response contains a status of HTTP/1.1 500 Internal Server Error and the location header is populated, the response to the client is dropped and the client sees nothing. |
PD-10180 | High CPU utilization can be seen when using WAF in certain situations. |
PD-9976 | An issue occurs preventing Layer7 from initializing when processing SNORT rules. |
PD-9953 | A security issue exists causing the initial boot password to be written in the Azure Virtual LoadMaster logs. |
PD-9777 | Issues can occur when using the license API if the timezone on the LoadMaster is set to GMT-X. |
PD-9950 | LoadMaster VNF HA does not work on LoadMaster versions 7.1.35.n and 7.2.36.n. It does work on LoadMaster version 7.2.37 and above. |
PD-10155 | Issue with configuration corruption causes some GEO features not to function. |
PD-9901 | HA does not work with LTS VNF 7.1.35.4 on the Multi-Tenant LoadMaster. |
PD-9770 |
ESP logs missing some information. |
PD-9743 | Issues importing some template files that have the default rule assigned. |
PD-9666 | Headers with underscores are not accepted by Apache 2.4. |
PD-9660 | The LoadMaster is changing RADIUS passwords in some scenarios. |
PD-9633 | Unable to set the check host with the port attached in the WUI (it works using the API or CLI). |
PD-9517 | Unable to authenticate some users when the password is expired and permitted groups are used. |
PD-9508 | ESP only verifies SAML assertions when using the root certificate. |
PD-9504 | Some users are experiencing issues with HA failover on Multi-Tenant LoadMaster units. |
PD-10159 | CPU and network usage graphs not appearing after firmware upgrade. Resetting the statistic counters does not clear the graph data. |
PD-9470 | LDAP Real Server health checking is not working optimally. |
PD-9453 | Some Azure users are having issues licensing due to communication issues with the default gateway. |
PD-9359 | Some users unable to authenticate using ESP. |
PD-9159 | When WAF is enabled there is no traffic on the back-end in certain scenarios. |
PD-8697 | Some users having issues detecting the partition when using the Hardware Security Module (HSM). |
PD-9768 | Security issue in the SSO debug logs relating to the logon transcode option. |
PD-9657 | Naming a cipher set using - or + results in some issues. |
PD-9643 | Unable to change the IP address of a Virtual Service in an Azure LoadMaster. |
PD-9604 | Issues when trying to import some custom templates. |
PD-9783 | HA status tool tip on slave unit displays incorrect IP addresses. |
PD-9758 |
Some users are unable to edit or access Office files from SharePoint when using SAML and KCD authentication. |
PD-7157 | When using WAF and KCD, all file attachments in SharePoint fail. |
PD-7265 | No redirection when the shared IP address is changed using the WUI. |
PD-8746 | If a LoadMaster licensed with WAF rules has had rules downloaded/installed and then a factory reset is performed, it is not possible to download/install WAF rules. |
PD-8413 | It is not possible to specify a wildcard port when creating a Virtual Service from a template. |
PD-9129 | The API command to backup contains an error that breaks the PowerShell wrapper connection. |
PD-9779 | Discrepancies between the WUI and RESTful API parameter for "Client Authentication Mode". |
PD-9596 | The showiface RESTful API command shows the wrong interface values in the output for interfaces that are not configured. |
PD-9572 | There are discrepancies displaying the location latitude/longitude parameter values for some RESTful API commands. |
PD-9570 | There is a typo in the removecountry API response error message. |
PD-9553 | There is no API command to disable secure NTP mode. |
PD-9539 | Issues with the PowerShell New-GeoCluster command in a specific scenario. |
PD-9525 | The RESTful API returns the value of the failtime parameter in seconds, but it is set in minutes. |
PD-9523 | In a specific scenario, the RESTful API returns a success message when fetching a non-existing GEO FQDN. |
PD-9476 | There is no RESTful API command to get/list the installed custom rule data files. |
PD-7156 | The VSIndex parameter is missing in some API calls. |
PD-9575 | There are issues with some aclcontrol API commands. |
PD-10160 | The API commands to reset the CPU and network graphs do not work. |
4 Release 7.1.35.4
Refer to the sections below for details about firmware version 7.1.35.4. This was released on 2nd August 2017.
4.1 7.1.35.4 - Feature Enhancements
- Updated OpenSSH to version 7.5p1
- Improvements made to support a high number of connections.
4.2 7.1.35.4 - Issues Resolved
PD-9678 | Fixed an issue that was causing there to be no back-end traffic when the Web Application Firewall (WAF) was enabled. |
PD-9650 | Fixed an issue that was causing WAF to block the uploading of files larger than 1MB. |
PD-9631 |
It is possible to modify the IP address of the shared IP on a VLAN interface. |
PD-9438 | Fixed an issue with the Drop Connections on RS failure that caused high RAM usage. |
PD-9353 | Fixed an issue that caused the LoadMaster to reboot when the persistence mode of a UDP syslog Virtual Service was changed. |
PD-9352 | Fixed an issue that caused simultaneous health check failures. |
PD-9333 | Removed "deprecated option" SSO manager logs. |
PD-9769 | Fixed a security issue with the SSO debug logs relating to the logon transcode option. |
PD-9637 | Mitigated against the CVE-2017-8890 vulnerability. |
PD-9756 | Fixed an issue with certificate authentication when using a HA pair. |
PD-9569 | Fixed an issue with special space characters and local LoadMaster user authentication. |
PD-9806 | Fixed an issue with some aclcontrol API commands. |
PD-9790 | The CheckPort and CheckPattern API parameters can be unset using the API. |
PD-9773 | Fixed an issue that showed different statuses for disabled Virtual Services in the API. |
4.3 7.1.35.4 - Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-9950 | LoadMaster VNF HA does not work on LoadMaster versions 7.1.35.n and 7.2.36.n. It does work on LoadMaster version 7.2.37 and above. |
PD-10155 | Issue with configuration corruption causes some GEO features not to function. |
PD-9901 | HA does not work with LTS VNF 7.1.35.4 on the Multi-Tenant LoadMaster. |
PD-9770 |
ESP logs missing some information. |
PD-9743 | Issues importing some template files that have the default rule assigned. |
PD-9666 | Headers with underscores are not accepted by Apache 2.4. |
PD-9660 | The LoadMaster is changing RADIUS passwords in some scenarios. |
PD-9633 | Unable to set the check host with the port attached in the WUI (it works using the API or CLI). |
PD-9517 | Unable to authenticate some users when the password is expired and permitted groups are used. |
PD-9508 | ESP only verifies SAML assertions when using the root certificate. |
PD-9504 | Some users are experiencing issues with HA failover on Multi-Tenant LoadMaster units. |
PD-10159 | CPU and network usage graphs not appearing after firmware upgrade. Resetting the statistic counters does not clear the graph data. |
PD-9470 | LDAP Real Server health checking is not working optimally. |
PD-9453 | Some Azure users are having issues licensing due to communication issues with the default gateway. |
PD-9359 | Some users unable to authenticate using ESP. |
PD-9159 | When WAF is enabled there is no traffic on the back-end in certain scenarios. |
PD-8697 | Some users having issues detecting the partition when using the Hardware Security Module (HSM). |
PD-9768 | Security issue in the SSO debug logs relating to the logon transcode option. |
PD-9657 | Naming a cipher set using - or + results in some issues. |
PD-9643 | Unable to change the IP address of a Virtual Service in an Azure LoadMaster. |
PD-9604 | Issues when trying to import some custom templates. |
PD-9783 | HA status tool tip on slave unit displays incorrect IP addresses. |
PD-9758 |
Some users are unable to edit or access Office files from SharePoint when using SAML and KCD authentication. |
PD-7157 | When using WAF and KCD, all file attachments in SharePoint fail. |
PD-7265 | No redirection when the shared IP address is changed using the WUI. |
PD-8746 | If a LoadMaster licensed with WAF rules has had rules downloaded/installed and then a factory reset is performed, it is not possible to download/install WAF rules. |
PD-8413 | It is not possible to specify a wildcard port when creating a Virtual Service from a template. |
PD-9129 | The API command to backup contains an error that breaks the PowerShell wrapper connection. |
PD-9779 | Discrepancies between the WUI and RESTful API parameter for "Client Authentication Mode". |
PD-9596 | The showiface RESTful API command shows the wrong interface values in the output for interfaces that are not configured. |
PD-9572 | There are discrepancies displaying the location latitude/longitude parameter values for some RESTful API commands. |
PD-9570 | There is a typo in the removecountry API response error message. |
PD-9553 | There is no API command to disable secure NTP mode. |
PD-9539 | Issues with the PowerShell New-GeoCluster command in a specific scenario. |
PD-9525 | The RESTful API returns the value of the failtime parameter in seconds, but it is set in minutes. |
PD-9523 | In a specific scenario, the RESTful API returns a success message when fetching a non-existing GEO FQDN. |
PD-9476 | There is no RESTful API command to get/list the installed custom rule data files. |
PD-7156 | The VSIndex parameter is missing in some API calls. |
PD-9575 | There are issues with some aclcontrol API commands. |
PD-10160 | The API commands to reset the CPU and network graphs do not work. |
5 Release 7.1.35.3
Refer to the sections below for details about firmware version 7.1.35.3. This was released on 5th April 2017.
5.1 Feature Enhancements
- Updated OpenSSH version to 7.4p1.
- Updated OpenSSL version to 1.0.2k to mitigate against the following vulnerabilities:
- CVE-2017-3731
- CVE-2017-3730
- CVE-2017-3732
- CVE-2016-7055
- Updated BIND to version 9.10.4-P5 to mitigate against the following vulnerabilities:
- CVE-2016-9131
- CVE-2016-9147
- CVE-2016-9444
- CVE-2016-9778
- Updated the Copyright Notices on the LoadMaster console and Web User Interface (WUI).
- Support added for OWASP CRS 3.0 rules.
5.2 Issues Resolved
PD-9042 | Removed brackets from IPv6 X-Forwarded-For header. |
PD-8643 | Increased the connection levels that cause local port exhaustion. |
PD-8982 | Added an option to not include netstat in backups. |
PD-9075 |
Fixed some session management issues. |
PD-8996 | Fixed an issue that was causing the SSL open/opening connections limit to be reached incorrectly. |
PD-8777 | Fixed an issue that prevented clients from authenticating using the Edge Security Pack (ESP) in certain scenarios. |
PD-8717 | Fixed an issue relating to the ESP Locked_users file. |
PD-8569 | Stopped an unnecessary error message from being displayed when viewing log files. |
PD-9120 | The Virtual Service status is listed in the stats Application Program Interface (API) command. |
5.3 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-8725 | Proximity and Location Based scheduling do not work with IPv6 source addresses. |
PD-9950 | LoadMaster VNF HA does not work on LoadMaster versions 7.1.35.n and 7.2.36.n. It does work on LoadMaster version 7.2.37 and above. |
PD-10159 | CPU and network usage graphs not appearing after firmware upgrade. Resetting the statistic counters does not clear the graph data. |
PD-8009 |
The listcluster API command does not return a status. |
PD-8298 |
There are some issues relating to IPv6 routing. |
PD-8097 |
There are some issues accessing WebSocket when using Firefox and a LoadMaster. |
PD-8005 |
There are issues with the PowerShell API that are causing errors with Microsoft Service Management Automation (SMA). |
PD-8341 |
The MTU size is getting reset to 1500 when bonding interfaces. |
PD-8305 |
The aslactivate API command always returns a success message even when the activation fails. |
PD-8192 |
The Get-NetworkDNSConfiguration API command returns High Availability (HA) parameters, even when the LoadMaster is not in HA mode. |
PD-7778 |
In some circumstances, the SSL open/opening connections limit is reached, even though there are only a few connections running. |
PD-7559 |
It is not possible to add a comment to a block or whitelist entry in the Access Control List (ACL) when using the API. |
PD-8196 |
There is no validation of the remote URI when enabling WAF logging using the API. |
PD-8174 |
Clusters with a forward slash (/) in the name do not show up in the WUI. |
PD-8107 |
It is not possible to force an NTP update using the API. |
PD-8038 |
In some scenarios, the API is not returning the correct value for the cluster status. |
PD-8014 |
A remote LoadMaster cluster does not respond unless the remote LoadMaster has a Virtual Service. |
PD-8225 |
An incorrect error message is displayed when incorrect credentials are used when licensing the LoadMaster. |
PD-8205 |
When using content rules, the LoadMaster does not match the port when trying to select a Real Server. |
PD-7487 |
When adding a local user and the name of the user is bal, the response is correct but the response stat is invalid - it should be 400/422 or another stat, but not 200. |
PD-10160 | The API commands to reset the CPU and network graphs do not work. |
6 Release 7.1.35.2
Refer to the sections below for details about firmware version 7.1.35.2. This was released on 9th November 2016.
6.1 Issues Resolved
PD-8290 |
Fixed an issue that was causing browsers to execute JavaScript from warning logs. |
PD-8240 |
Fixed an issue with IP assignment in Azure multi-arm LoadMasters. |
PD-8193 |
Fixed a display issue with statistics. |
PD-8189 |
Fixed an issue that allowed unauthorized API commands to be run. |
PD-8188 |
Fixed an issue that caused errors to appear in the Virtual Service when no Web Application Firewall (WAF) rules were assigned. |
PD-8187 |
Updated BIND to version 9.10.4-P3. |
6.2 7.1.35.2 - Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-8725 | Proximity and Location Based scheduling do not work with IPv6 source addresses. |
7 Release 7.1.35
Refer to the sections below for details about firmware version 7.1.35. This was released on 2nd August 2016.
When upgrading a LoadMaster for Microsoft Azure to firmware version 7.1.35 - you must upgrade the Azure add-on pack first.
7.1 New Features
The following features were added to the 7.1.35 release:
- Multiple logoff strings can be specified.
- Real Servers can be referenced by Fully Qualified Domain Name (FQDN) or IP address.
- The LoadMaster can Network Address Translate (NAT) IPv6 traffic.
- The following Virtual Service application configuration templates were published:
- VMware vRealize Automation
- Microsoft Dynamics AX
- JBoss Application Server
- Remote Desktop Services
- AirWatch
- Splunk
- Syncplicity
- The Microsoft Exchange, SharePoint and IIS application configuration templates are updated.
- GEO supports blacklists.
- The standard Linux/Unix utility du was added to the LoadMaster Operating System (OS).
- An Azure Resource Manager (ARM) basic setup template for High Availability (HA) is available.
- Closed network licensing.
- New public cloud WAF products.
- Enhanced IPv6 ping support.
- GEO per-FQDN settings.
- Enhanced GEO health checks to enable grouping by cluster.
- It is possible to perform a TCP dump by using the Application Program Interface (API).
7.2 Feature Enhancements
- Improved client certificate Common Name (CN) handling.
- Updated default values for SecRequestBodyNoFilesLimit and SecRequestBodyInMemoryLimit to 1048576.
- Improved Subject Alternative Name (SAN) handling with multiple Virtual Service certificates.
- It is possible to configure timeouts for Single Sign On (SSO) token authentication.
- Updated the OpenSSH version to 7.2p2.
- It is possible to enable and disable individual WAF rules in each ruleset.
- Product and service support types and dates are listed under the View License link on the Web User Interface (WUI) home page.
- Improved WAF rules auto-download behaviour.
- Session management is enabled by default on new LoadMasters.
- ModSecurity has been updated to version 2.9.
- Enhanced API functionality for the command to list all installed templates.
- The PowerShell API cmdlets have been renamed to follow Microsoft naming conventions. Previous naming conventions have been retained for backwards compatibility.
7.3 Issues Resolved
PD-6879 |
Improved handling of SAMAccountName/User Principal Name (UPN) in multiple domain environments. |
PD-7668 |
Added an option to set HTTPlib timeout for SDNstats to the LoadMaster WUI. |
PD-7564 |
Fixed an issue which was preventing the selection of the UDP Session Initiation Protocol persistence method. |
PD-7476 |
Fixed an issue where some statistics were disappearing in certain scenarios. |
PD-7467 |
Fixed an issue which was preventing historical statistics from appearing. |
PD-7464 |
The LoadMaster continues as expected after a successful LDAP bind when using alternative domains. |
PD-7331 |
The spelling error has been corrected in the Francais Canadien Blank SSO image set. |
PD-7222 |
WAF event logs are exported to syslog. |
PD-7153 |
Fixed some strange licensing behaviour for SPLA Virtual LoadMasters. |
PD-7141 |
The grave character (`) is supported in ESP passwords. |
PD-6889 |
Enhanced HA mode settings behaviour when one node is down. |
PD-7617 |
The boot log no longer refreshes and scrolls to the bottom of the page, making it easier to read. |
PD-7609 |
Increased the dhcpcd timeout to accommodate for some hardware Network Interface Controllers (NICs). |
PD-7173 |
Fixed issues relating to pre-authorization excluded directories and Kerberos Constrained Delegation (KCD) |
PD-7127 |
The Kerberos cache is purged cleanly. |
PD-7099 |
Fixed an issue which was preventing SubVSs from being created within a Log Insight Virtual Service in certain situations. |
PD-7047 |
Fixed an issue with Name Server (DNS) protocol health checking. |
PD-7226 |
Longer comments are allowed in templates to better support older templates. |
PD-7121 |
OCSP responses containing multiple certificates are processed correctly. |
PD-7056 |
Fixed an issue relating to black list IP addresses in Virtual Services. |
PD-7128 |
The persist parameter is appearing in the showvs API command output in all situations. |
PD-7119 |
Path MTU Discovery (PMTUD) notifications are no longer ignored when the packet filter is enabled. |
PD-7080 |
Fixed an issue which was causing the IPv6 default route to be lost after High Availability (HA) failover. |
PD-7481 |
Fixed an issue relating to incorrect site selection failover when using Location Based as the Selection Criteria. |
PD-7512 |
Removed some spurious error messages from the LoadMaster WUI. |
PD-7475 |
Corrected the message which is displayed to the user after downloading WAF rules. |
PD-7339 |
Fixed an issue with the Disable Password Form option in Firefox browsers. |
PD-7134 |
Fixed the GEO LoadMaster WUI to display missing menu elements. |
PD-7076 |
Fixed issues with NAT functionality which was not working as expected in a specific scenario. |
PD-7011 |
Improved warning messages when a user is trying to delete or block themselves. |
PD-6548 |
Resolved an issue which was causing high CPU usage after additional services were added. |
PD-7021 |
There is no longer a discrepancy between the length of the Add Header to Request field between the WUI and API. |
PD-7014 |
Fixed an issue relating to the removal of extra ports using the PowerShell API. |
PD-7582 |
Enhancements have been made to the PowerShell commands to enable and disable the API. |
PD-7217 |
Enhancements have been made to the Java modify interface command. |
PD-7637 |
Fixed an issue with the PowerShell Initialize-Loadbalancer command. |
PD-7023 |
Improved error handling for the Get-Rule API command. |
PD-7016 |
Fixed an issue which was preventing the "Include query" flag from being set for a content rule using the PowerShell API. |
PD-7184 |
The showrs RESTful API command returns the correct VSIndex value. |
PD-7642 |
Fixed a typo in the PowerShell API command New-TlsintermediateCertificate. |
PD-7541 |
Fixed an issue which was preventing the showiface API command from working with clustering. |
PD-7509 |
It is possible to set the Shared SubVS persistence using the API. |
PD-7465 |
Fixed an issue with the DisablePasswordForm API parameter. |
PD-7379 |
Fixed an issue which was preventing the Require SNI hostname flag from being set using the RESTful API. |
PD-7267 |
The Java API ModSSODomain command accepts Map<String, String> as a third parameter. |
PD-7192 |
Fixed a typo in the nameserver API parameter. |
PD-7420 |
The checkheader API parameter now allows the correct number of header/field pairs (up to four). |
PD-6923 |
Fixed the API command to enable/disable SubVSs. |
PD-6866 |
The InputAuthMode API parameter has additional values, as needed. |
PD-6865 |
The CheckHeaders parameter has been added to the modify Virtual Service command. |
7.4 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-8725 | Proximity and Location Based scheduling do not work with IPv6 source addresses. |
PD-9950 | LoadMaster VNF HA does not work on LoadMaster versions 7.1.35.n and 7.2.36.n. It does work om LoadMaster version 7.2.37 and above. |
PD-10159 | CPU and network usage graphs not appearing after firmware upgrade. Resetting the statistic counters does not clear the graph data. |
PD-7218 |
WAF-FLE servers are not accepting LoadMaster remote logging requests. This is an issue with WAF-FLE rather than the LoadMaster. |
PD-7713 |
There is an issue which is causing the health check status to show as unchecked on Azure HA units, even though the health check probe is working correctly. |
PD-7678 |
There is an issue which is continually locking out some LoadMaster users when using HA and session management. This is because the list of blocked logins is shared between HA machines. When a user is unblocked, the "blocked login" file is not removed from both machines - so the files come back from the slave unit. As a workaround - unblock the user on both machines at the same time. |
PD-7578 |
There is an issue where wildcard UDP Virtual Services are not NATing the return traffic as expected. |
PD-7265 |
When the Shared IP Address is changed in a HA pair, the user is not redirected to the new Shared IP Address. |
PD-7764 |
There is an issue which is preventing the ciphers from being selected in the Microsoft Edge and Internet Explorer browsers. |
PD-7487 |
When adding a local user and the name of the user is bal, the response is correct but the response stat is invalid - it should be 400/422 or another stat, but not 200. |
PD-7752 |
RADIUS challenge is sending mangled characters. |
PD-7157 |
There is an issue with using file attachments in SharePoint when using WAF and KCD. |
PD-7559 |
It is not possible to add a comment to a block or whitelist entry using the API. |
PD-7556 |
The PowerShell configure Virtual Service command does not support the ability to set the Persistence Mode to none. |
PD-7658 |
It is not possible to unset any syslog values using the related PowerShell API command. |
PD-7657 |
It is not possible to unset the netconsole parameter using the Set-LmDebugConfiguration command. |
PD-7656 |
It is not possible to unset certain values using the Set-SecRemoteAccess PowerShell API command. |
PD-7655 |
The bonded interface API commands are returning errors. |
PD-7650 |
There are some issues relating to the setwafautoupdate API command. |
PD-7648 |
It is not possible to upload a custom rule data file to the LoadMaster using the RESTful API. |
PD-7643 |
Manual reboots using the API do not reset the reboot counter, which can cause the LoadMaster to enter passive mode after rebooting three times without the LoadMaster being up for more than five minutes. |
PD-7608 |
It is not possible to enable the "Require SNI hostname" flag using the modify Virtual Service PowerShell and Java API commands. |
PD-7693 |
When setting the CheckPattern parameter using the API, inputs over 140 characters are being lost and part of the input is spilling over into the CheckHost parameter. |
PD-7753 |
When using the PowerShell API for a LoadMaster with a management port other than 443, you need to specify the port when using the commands Enable-SecAPIAccess and Disable-SecAPIAccess. |
PD-7565 |
The checker address cannot be set using the API. |
PD-7522 |
If a GEO map is modified using the API and the IP address for the site is not specified, nothing is returned (an error should be displayed). |
PD-7516 |
The GEO Location Based option for "Everywhere" cannot be set and is not listed in the API. |
PD-7338 |
The listclusters API command returns 0 as the CheckerPort value if the checker is set to tcp. The default value when using TCP health checks is 80 and that should be returned. |
PD-7742 |
The API and UI allow different lengths for the field DNS query. |
PD-7696 |
The Checked Port cannot be unset using the API. |
PD-10160 | The API commands to reset the CPU and network graphs do not work. |
8 Release 7.1.34.1
Refer to the sections below for details about firmware version 7.1.34.1. This was released on 18th May 2016.
As of 7.1.34.1, the VMware vCenter Operations (vCOPs) v5 LoadMaster plugin is no longer being maintained because VMware have ended their support of vCOPs v.5.8.1.
Upgrading an existing LoadMaster for Amazon Web Services (AWS) from a pre-7.1.34 firmware version to 7.1.34 and above will not work. This issue is caused by AWS de-emphasizing and eventually deprecating support for Para Virtual (PV) images. Therefore, all new LoadMaster versions will support Hardware Virtual Machine (HVM) AMIs only. For help upgrading please contact Kemp Technical Support.
8.1 New Features
- Improvements made to the home page of the LoadMaster Web User Interface (WUI)
- Template creation capabilities have been added
- Domain Name System Security Extensions (DNSSEC) client support has been added
- Microsoft Azure Resource Manager (ARM) deployment is supported
- The LoadMaster for Amazon Web Services (AWS) supports Bring Your Own License (BYOL)
- Support has been added for RADIUS challenge/response
8.2 Feature Enhancements
- Enhanced the "Permitted Groups" functionality in the Edge Security Pack (ESP) to work with client certificates.
- RSA-SecurID and LDAP dual factor authentication is supported.
- Two Virtual Service application configuration templates have been published:
- Dell Wyse vWorkspace
- Adobe Connect
- It is possible to configure "non-standard" web server responses as healthy.
- Improvements made to Common Access Card (CAC) WUI authentication.
- Central SSL cipher set management has been added to the WUI and API.
- It is possible to delete custom GEO locations.
- Improved Virtual Service WAF statistics to better reflect WAF health.
- When SSOMGR debug traces are enabled, the SSOMGR log file gets compressed at midnight, as long as the file is not empty.
- It is possible to license the LoadMaster using a HTTP(S) proxy during installation.
- Added support for virtIO disks for KVM LoadMasters.
- Extended region support has been added for LoadMasters in AWS.
- Added a new L7 configuration option which allows empty headers.
- Added a PowerShell API command to add a SubVS.
- Added a parameter for Subnet Originating Requests to the Virtual Service API commands.
- Added PowerShell API commands relating to health check aggregation and configurable health thresholds.
- PowerShell and Java API commands have been added for adding custom locations to FQDNs.
- Improvements made to the PowerShell API in relation to Virtual Services and SubVSs.
- Replaced the API parameters tcpfailover and cookieupdate with hal4update and hal7update, respectively.
- Updated OpenSSL to version 1.0.2h to mitigate against the CVE-2016-2107 vulnerability.
- Mitigated against CVE-2015-5621 vulnerability.
8.3 Issues Resolved
PD-7035 |
Increased the length of the redirect URL field. |
PD-6644 |
Changed the VLAN interface ID to the actual VLAN number. |
PD-6921 |
LDAPS is capable of running in FIPS mode. |
PD-6570 |
Improved WAF stability. |
PD-7083 |
Improved RADIUS health checks. |
PD-7064 |
Fixed an issue relating to content rule removal. |
PD-6950 |
Fixed an issue which was causing the administrative certificate to be lost after reboot. |
PD-6936 |
Fixed a license error which was occurring after certain upgrades. |
PD-6931 |
Fixed the historical statistics page on nodes in a cluster. |
PD-6916 |
Fully removed support for SSHv1. |
PD-6870 |
Improved failed login attempt threshold enforcement. |
PD-6653 |
Improvements made to the WAF counter on the home page. |
PD-6656 |
It is possible to manipulate the host file from the LoadMaster by specifying the IP address and host FQDN for the entry. |
PD-6468 |
Improved WAF performance. |
PD-6412 |
Enhanced support for multi-domain forests within ESP. |
PD-4666 |
Fixed error in SSO configuration logs regarding lost domain. |
PD-7222 |
Enhanced WAF syslog support. |
PD-6591 |
Improved Kerberos Constrained Delegation (KCD) service ticket handling. |
PD-6549 |
Fixed an issue with deleting VLAN/VXLANs when in High Availability (HA) mode. |
PD-6731 |
Fixed an issue which was causing the Real Server status to not display correctly when Enhanced Options was enabled. |
PD-6657 |
Fixed an issue relating to Private/Public site preference with Proximity scheduling. |
PD-6641 |
Fixed a display issue for sites using a built-in geographic location database. |
PD-6626 |
Fixed geographic coordinate resolution of existing sites when switching to proximity selection. |
PD-6607 |
Fixed an issue when using KCD OWA and file attachments with SharePoint and Exchange. |
PD-6760 |
Enhanced the POST health check to handle special characters in the POSTDATA. |
PD-6734 |
Improved synchronization with SharePoint One Drive when using ESP form-based authentication and KCD. |
PD-6669 |
Fixed an issue with legacy licensing on the free Virtual LoadMaster. |
PD-6548 |
Resolved an issue which was causing high CPU usage when additional services were added. |
PD-6459 |
Fixed incorrect CPU statistics. |
PD-6329 |
Added missing Java and PowerShell API commands relating to the Packet Routing Filter. |
PD-6215 |
Added API commands to allow public IP addresses to be treated as private on GEO. |
PD-6214 |
Added an API command to limit the number of concurrent logon sessions. |
PD-6617 |
Added an API command which lists all installed certificates. |
PD-6864 |
Added a parameter for Quality of Service to the API. |
PD-6958 |
The System Center plugin can reach the LoadMaster API. |
PD-6928 |
Fixed an issue with the API command to enable non-local Real Servers. |
PD-6365 |
Added a missing PowerShell API parameter value for "Username only" in the Set-SSODomain command. |
PD-7067 |
Added an API parameter to set Basic Authentication. |
PD-7049 |
Improved error handling for the ErrorUrl RESTful API parameter. |
PD-7020 |
Fixed an API issue relating to using the Transparent parameter with the Sorry Server parameter. |
PD-6978 |
Added the RSIndex parameter to the PowerShell and Java API. |
PD-6860 |
Fixed error handling in the API for the alternate address parameter. |
PD-6841 |
The API correctly reflects the Virtual Service status. |
PD-6602 |
Fixed the API response for the command to get the administrative certificate. |
PD-6600 |
Improved an API display issue relating to the MatchRules section of Real Server output. |
PD-6595 |
Improved error handling when disabling ACLControl using the API. |
PD-6481 |
Fixed an API issue in the LoadMaster for Azure when adding/modifying Virtual Services. |
PD-6213 |
Cipher set management added to the Java API. |
PD-6195 |
Added PowerShell and Java API commands relating to managing the black and white list. |
PD-6846 |
Added the VSIndex parameter to the Set-VirtualService command in the PowerShell API. |
PD-6843 |
Fixed an issue with the Get-NetworkOptions PowerShell API command. |
PD-6655 |
Improved error handling for the API list commands. |
PD-6601 |
Improved the HTTP status code in the RESTful API command to set the local cert. |
PD-6599 |
Improved the GetSDNController Java API command. |
PD-6598 |
Improved the AddSDNController and ModSDNController Java API commands. |
PD-6587 |
Fixed the response of the New-RealServer PowerShell API command. |
PD-6480 |
Improved the PowerShell API command Set_AWSHAOption. |
PD-7647 |
Fixed an issue which was causing WUI connection problems on LoadMasters for Azure. Please update the Azure add-on in addition to the LoadMaster firmware to fix this issue. |
8.4 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-7173 |
Pre-authorization excluded directories do not work as expected with KCD. |
PD-7127 |
The SSOMGR is not purging the Kerberos cache cleanly. |
PD-7099 |
It is not always possible to create a SubVS within a Log Insight Virtual Service in the LoadMaster WUI. |
PD-7157 |
There is an issue with using file attachments in SharePoint when using WAF and KCD. |
PD-7121 |
OCSP responses containing multiple certificates are not processed correctly. |
PD-7056 |
There is an issue relating to black list IP addresses in Virtual Services. |
PD-7047 |
There is an issue with Name Server (DNS) protocol health checking. |
PD-7226 |
There is an issue uploading some templates which contain long comments. |
PD-7023 |
The output and error handling of the Get-Rule API command is not ideal. |
PD-7016 |
The IncludeQuery API parameter cannot be set. |
PD-6930 |
The IPv6 support in the API is incomplete. |
PD-7225 |
The listcustomlocation API command shows custom locations that have not been added. |
PD-7128 |
The persist parameter does not appear in the API command showvs output when the persistence mode is set to Source IP Address. |
PD-7021 |
There is a discrepancy between the length of the Add Header to Request field between the WUI and API. |
PD-7014 |
There is an issue removing extra ports when using the PowerShell API. |
9 Release 7.1-32a
Refer to the sections below for details about firmware version 7.1-32a. This was released on 26th January 2016.
9.1 New Features
- A HTTP/2 Virtual Service type has been added
- High Availability (HA) in the LoadMaster for Amazon Web Services (AWS)
- LoadMaster Clustering
- Health check aggregation and threshold configuration
- A WAF event log has been added.
- Remote WAF logging functionality has been added.
- Some of the WAF WUI fields have been renamed to increase clarity.
- A WAF rule updates log has been added to increase clarity.
- The WAF audit logs are available using the API and can be sent to third party collectors.
9.2 Feature Enhancements
- Updated the LoadMaster root certificate to mitigate against CVE-2004-2761 vulnerability.
- The PowerShell API library supports only TLS 1.1 and TLS 1.2.
- The Java API supports Java 7 and Java 8.
- API support added for SSH and Web User Interfaces (WUI) pre-authentication messages.
- Multiple NICs are supported in the LoadMaster for Azure.
- Multiple subnets are supported in the LoadMaster for Azure.
- A number of Virtual Service application configuration templates have been published:
- AD FS v3
- DirectAccess
- Fujifilm Synapse
- Skype for Business
- Greenway PrimeSuite
- Epicor ERP
- Microsoft Exchange 2016
- Updates have been made to the Microsoft Exchange 2013 Virtual Service application configuration templates.
- Improvements have been made to the display of the sections on the Modify Virtual Service screen.
- More information has been added to the screen where the license type is selected when initially configuring a LoadMaster.
- Improved VXLAN/VLAN interface usability.
- Warning added to prevent the enabling of cluster mode if VXLANs or IPsec tunnelling is enabled.
- FIPS mode forces the use of Session management mode.
- Authenticated NTPv4 is supported.
- Additional Security headers are included on WUI pages.
- Administrative actions are written in an audit log.
- It is possible to enable pre-authentication click through banner.
- If session management is enabled, the last successful login is displayed on the home page of the LoadMaster WUI.
- When using the Edge Security Pack (ESP), it is possible to steer traffic based on Active Directory group membership.
- Nested permitted groups are supported when using ESP.
- The Cavium driver has been updated to V6.0.
9.3 Issues Resolved
PD-6523 |
Improved the way the SSL reencrypt parameter is set in the PowerShell API. |
PD-6482 |
Fixed an issue relating to bonded interfaces and the active/backup option. |
PD-6476 |
Improved GEO proximity stability. |
PD-6435 |
Fixed an issue relating to HA and SSO synchronization. |
PD-6413 |
It is possible to use port following with wildcard ports. |
PD-6389 |
Fixed an issue where image set resources did not load if there were no Real Servers present. |
PD-6385 |
Added the ability to select the TLS version for the WUI. |
PD-6364 |
Consistency improvements made between the RESTful, PowerShell and Java APIs. |
PD-6348 |
Improved RADIUS authorization stability. |
PD-6334 |
Fixed an issue relating to WUI access when using FIPS mode and TLS 1.2. |
PD-6231 |
Added some commands that were missing from the PowerShell API. |
PD-6167 |
Fixed an issue relating to SNMP and IPv6. |
PD-6165 |
Fixed a WUI compatibility issue with Internet Explorer 11. |
PD-6160 |
Improved API usability when creating a Virtual Service with SSL reencryption. |
PD-6159 |
Improved WAF and Virtual Service stability. |
PD-6096 |
Improved Azure Virtual LoadMaster (VLM) stability. |
PD-6077 |
Fixed an issue which was causing VLMs to hang in certain scenarios. |
PD-6013 |
It is possible to set Subnet Originating Requests per Virtual Service using the API. |
PD-5961 |
Fixed an issue which was preventing attachments greater than 1MB from being attached when using Kerberos Constrained Delegation. |
PD-5932 |
Fixed an issue which was causing a segfault in some situations. |
PD-5915 |
Fixed an issue which was preventing an extra name server from being added. |
PD-5909 |
Fixed a minor issue relating to the API command used to display the black list. |
PD-5857 |
Fixed an issue which was causing a collector thread error in the VMware vRealize Operations Manager. |
PD-5798 |
Updated firmware to mitigate against CVE-2015-5600 vulnerability. |
PD-5641 |
Fixed an issue which was causing LM-2600 models to reboot when configuration changes were made. |
PD-5222 |
Fixed an issue relating to short domain names. |
PD-4775 |
Fixed an issue which was causing Virtual Services in a Security Down state to be listed as "InService" when querying using SNMP. |
PD-3642 |
Fixed an issue relating to GEO Weighted Round Robin statistics. |
PD-6102 |
Fixed an issue with the enable Real Server button. |
PD-6514 |
Fixed an issue relating to site restrictions for FQDNs. |
PD-6095 |
Fixed an issue with the add/remove country and change map location API commands for GEO. |
PD-6078 |
It is possible to add a custom location to an IP in an FQDN using API commands. |
PD-6735 |
Fixed a synchronization issue when using Kerberos Constrained Delegation (KCD) with SharePoint. |
PD-6703 |
Fixed an error in the SSO configuration logs regarding details being lost for a domain. |
PD-6404 |
Improved error handling for API list commands. |
9.4 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-6626 |
Changing an existing FQDN with sites to proximity balancing causes automatic resolution to fail. |
PD-6627 |
If 'bad data' is entered in the coordinates of an FQDN, automatic resolution will fail. |
PD-6575 |
There is an issue which is preventing the OpenStack Load Balancer as a Service (LBaaS) from being installed in some scenarios. |
PD-4666 |
In some cases, SSO configuration details are being lost. |
PD-6607 |
When using WAF and KCD - file attachments fail with SharePoint and Exchange. |
PD-6591 |
In some situations, the LoadMaster is not requesting the KCD service ticket. |
10 Release 7.1-30a
Refer to the sections below for details about firmware version 7.1-30a. This was released on 2nd November 2015.
10.1 Feature Enhancements
- API commands have been added to retrieve SDN device and path information.
- Updated firmware to mitigate against CVE-2015-5600 vulnerability.
10.2 Issues Resolved
PD-6335 |
Fixed an issue relating to using FIPS mode and TLS 1.1 or 1.2. |
PD-6223 |
Fixed an issue which was causing some LM-2600 models to reboot when configuration changes were made. |
PD-6222 |
Fixed an issue which was causing some Virtual LoadMasters to hang. |
10.3 7.1-30a - Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
11 Release 7.1-30
Refer to the sections below for details about firmware version 7.1-30. This was released on 3rd November 2015.
11.1 New Features
- IPsec Tunnelling Feature Extension
- LoadMaster SDN Adaptive
- VMware vRealize Orchestrator Integration.
- Virtual Extensible LAN (VXLAN) network support
- Multi-domain authentication with the Edge Security Pack (ESP)
- Certificate Authentication for WUI access
- TCP Multiplexing
11.2 Feature Enhancements
- Content switching based on request payload is supported.
- The total number of allowed concurrent administrative logon sessions to the LoadMaster WUI is configurable.
- SDN adaptive mode settings can be fully configured using the API.
- SDN-related commands have been added to the PowerShell and Java APIs.
- Script version information has been added to the LoadMaster logs.
- Memory utilization enhancements have been made for Web Application Firewall (WAF).
- Special characters are allowed in Virtual Service names.
- Manual boot options and a hardware compatibility check has been added to the bare metal installation.
- Granular control over cipher sets has been added to SSL certificate management.
- The LoadMaster OpenSSL version has been upgraded to 1.0.1p.
- Short domain names are supported when using ESP.
- The Web User Interface (WUI) has been updated with a new color scheme and improved navigation.
- An Oracle EBS Virtual Service application configuration template has been published.
- An SAP Virtual Service application configuration template has been published.
- An Oracle JD Edwards Virtual Service application configuration template has been published.
- FIPS 140-2 Level 1 operation is available in all LoadMaster models.
- LoadMaster can use a proxy for internet access.
- Diffie-Hellman Exchange (DHE) key size can be specified.
- WUI indicators for High Availability status of Azure-based LoadMasters and GEO has been improved
- The filename of manual LoadMaster backups includes the LoadMaster host name.
- Reply code of 200 has been added to the Not Available Redirection Handling.
- SNMP protocol version and authentication settings are configurable.
- Selective response settings for public or private sites based on request source are more granularly configurable.
- It is possible to flush the SSO cache using the API.
- The Custom Headers field in the Real Server Check Parameters accepts special characters.
11.3 Issues Resolved
PD-5841 |
Fixed an issue relating to the username when configuring SNMP v3. |
PD-5643 |
Fixed an issue which was causing problems with automated backups. |
PD-5500 |
Fixed an issue relating to permitted groups and ESP authentication. |
PD-5420 |
Fixed an issue which prevented the Not Available Redirection Handling Error File from being updated. |
PD-5416 |
Fixed an issue relating to RSA authentication prompts. |
PD-4964 |
Fixed an issue relating to RSA concurrent access. |
PD-4596 |
Fixed an issue where the LoadMaster was not sending full certificate data on the front-end handshake. |
PD-3726 |
Fixed an issue which was causing the LoadMaster to reboot on KCD login. |
PD-4865 |
Fixed an issue relating to unlocking locked users for some SSO domains. |
PD-5920 |
Fixed an issue which was showing RS health check status as "up" even when it was unavailable. |
PD-5870 |
Fixed an issue which was preventing logs from appearing in Internet Explorer. |
PD-5867 |
Fixed an issue relating to two-factor (RADIUS and LDAP) ESP authentication. |
PD-5853 |
Fixed an issue relating to GEO health checking. |
PD-5586 |
Fixed an issue where toggling scheduling methods was causing the LoadMaster to crash. |
PD-5282 |
Fixed an issue relating to the GEO proximity scheduling method. |
PD-4863 |
Fixed an issue which was preventing GEO custom locations from being edited. |
PD-5478 |
Fixed an issue with the GEO round robin scheduling method for IPv6. |
PD-4662 |
Fixed an issue which was causing the LDAP health check to fail intermittently. |
PD-3567 |
Fixed an issue relating to gratuitous ARP on IPv4 when using IPv6 and additional addresses. |
PD-5863 |
Fixed Network Interface Card (NIC) port mapping for 8-NIC LoadMaster units. |
11.4 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-5582 |
There are some GEO issues relating to the resource check parameters and cluster health checking. |
PD-4666 |
In some cases, SSO configuration details are being lost. |
PD-5915 |
In GEO, it is not possible to add multiple name servers using the WUI. This can be done in the API as a workaround. |
PD-5909 |
The RESTful API stops displaying blacklist IP addresses after 325 entries. |
PD-5641 |
In certain situations, LM-2600 LoadMasters are rebooting when configuration changes are made. |
PD-5857 |
There are issues with the VMware vRealize Operations collector for the LoadMaster. |
PD-5961 |
Attachments greater than 1MB will not work if the authentication mode is set to Kerberos Constrained Delegation (KCD). |
PD-6102 |
The enable Real Server button is not functioning correctly. |
12 Release 7.1-28b
Refer to the sections below for details about firmware version 7.1-28b. This was released on 28th August 2015.
12.1 Feature Enhancements
- A new reply code of 200 OK has been added to the Not Available Redirection Handling Error Code drop-down list.
- Updated firmware to mitigate against CVE-2015-5477 vulnerability.
12.2 Issues Resolved
PD-5596 |
Fixed an issue which prevented the Not Available Redirection Handling error file from being updated. |
PD-5581 |
Fixed a GEO Web User Interface (WUI) issue which caused issues with multiple locations being assigned. |
PD-5513 |
Improvements have been made to increase LoadMaster stability. |
12.3 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-3567 |
No gratuitous ARP is sent on IPv4 when using IPv6 and additional addresses. |
PD-3642 |
Statistics are not updating correctly when using GEO and weighted round robin scheduling. |
PD-4662 |
There is an intermittent issue with the LDAP Health check in certain configurations. |
PD-4863 |
Custom locations on the LoadMaster GEO cannot be disabled. |
PD-4865 |
In certain domains, locked users cannot be unlocked. |
PD-4964 |
RSA Authentication fails when the RSA Test User is configured. |
PD-5020 |
The Custom Header field in Real Server Check Parameters does not accept special characters. |
PD-5416 |
ESP RSA does not always require RSA passphrase for new connection if the user has an existing session. |
PD-5420 |
The Error File for Not Available Redirection Handling cannot be updated. |
13 Release 7.1-28a
Refer to the sections below for details about firmware version 7.1-28a. This was released on 29th July 2015.
13.1 New Features
- Microsoft SharePoint templates have been created.
- MobileIron templates have been created.
13.2 Feature Enhancements
- Commands relating to SDN have been added to the RESTful API
- Stated Real Server limits are calculated on a per LoadMaster basis.
- The maximum number of concurrent SSL connections scales better with memory.
- Alternate source addresses can be set when SSL re-encryption is enabled.
13.3 Issues Resolved
PD-5413 |
Fixed an issue relating to the Service Provider License Agreement (SPLA) licensing screen where the online/offline option was sometimes hidden. |
PD-4924 |
Improved stability when using the Edge Security Pack (ESP) Delegate to Server option. |
PD-4597 |
Fixed a memory issue relating to nested Virtual Services. |
PD-5251 |
Fixed an issue which prevented some GEO miscellaneous parameters to be set. |
PD-4350 |
Fixed an issue relating to setting the administrative interface and administrative gateway together. |
13.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-3567 |
No gratuitous ARP is sent on IPv4 when using IPv6 and additional addresses. |
PD-3642 |
Statistics are not updating correctly when using GEO and weighted round robin scheduling. |
PD-4662 |
There is an intermittent issue with the LDAP Health check in certain configurations |
PD-4863 |
Custom locations on the LoadMaster GEO cannot be disabled |
PD-4865 |
In certain domains, locked users cannot be unlocked |
PD-4964 |
RSA Authentication fails when the RSA Test User is configured |
PD-5020 |
The Custom Header field in Real Server Check Parameters does not accept special characters |
PD-5416 |
ESP RSA does not always require RSA passphrase for new connection if the user has an existing session. |
PD-5420 |
The Error File for Not Available Redirection Handling cannot be updated |
14 Release 7.1-28
Refer to the sections below for details about firmware version 7.1-28. This was released on 24th June 2015.
14.1 New Features
- ESP enhancement - Dual Factor Authentication
- LoadMaster Clustering - Beta
- ESP enhancement - NTLM support - Beta
- SNMP v3
14.2 Feature Enhancements
- Updated the bare metal installation process.
- Updated the SDN Add-on pack to support Mode 2.
- ESP has a configurable timeout option for SSO forms.
- Further strengthened WUI security.
- Improved the usability of the Session Management function.
- Commands relating to Content Switching have been added to the RESTful API
- Commands relating to changing the Admin Gateway and the Interface have been added to the RESTful API
- Commands relating to Client IP support have been added to the RESTful API
- Commands relating to SDN-Adaptive have been added to the RESTful API
- Commands relating to the Logon Transcode option have been added to the PowerShell and Java APIs
- Improved the syslog with multiple destinations.
- Improved the display of the state of add-on packs in the WUI.
- Added notifications for when Virtual Service Connection Limits are reached.
- Improved ESP logging to show which URLs are being accessed by users.
- Increased the size of the Match field in Content Rules.
- Improved the backup function by including SSO images.
- Improved the initial setup process of AWS.
- Added support for VMware Log Insight 2.5.
- Improved pre-licensing troubleshooting.
- Improved logon format for Dual Factor Authentication.
- Increased the maximum length of the RADIUS Shared Secret.
- Improved the security around the RADIUS Shared Secret.
- Improved the new software availability alert functionality.
- Added new diagnostic tools.
- Improved Java API error handling
- Added SubVS status to the output of the Showvs RESTful API command
- Improved the handling of SAN certificates on AWS
14.3 Issues Resolved
PD-4195 |
Vulnerability - XSS Credited to - Francesco Perna (CVE submitted) |
PD-4196 |
Vulnerability - XSRF Credited to - Francesco Perna (CVE submitted) |
PD-4198 |
Vulnerability - OS Command Injection Credited to - Francesco Perna (CVE submitted) |
PD-4199 |
Vulnerability - Cross Site Scripting Injection Credited to - Roberto Suggi Liverani and Paul Heneghan (CVE submitted) |
PD-1677 |
Gave path to RESTful API command for uploading node secret and config file of RSA settings |
PD-3697 |
Fixed issue with ESP SMTP |
PD-4212 |
Fixed header injection issue with X-Forwarded_For |
PD-4305 |
Improved RESTful API return code for listvs command |
PD-4383 |
Fixed issue with subnet originating and re-encrypt |
PD-4385 |
Improved SSO Manager stability |
PD-4519 |
Fixed issue for WUI refresh with adaptive agent |
PD-4528 |
Fixed issue with input error handling for IPSec configuration |
PD-4529 |
Fixed issue with Java API relating to SetParameter() method |
PD-4531 |
Fixed issue with LM default gateway after VS IP change |
PD-4534 |
Fixed issue with IPv6 healthcheck |
PD-4535 |
Fixed issue with intermediate certificates display |
PD-4542 |
Fixed FIPS Reencrypt SSL |
PD-4543 |
Fixed FIPS Reverse SSL |
PD-4559 |
Fixed issue in PowerShell API for SNMP option |
PD-4604 |
Fixed issue where a user may lose access to diagnostic shell |
PD-4608 |
Fixed issue where changing global default gateway causes WUI admin to lose access |
PD-4629 |
Fixed SDN view logs selection issue |
PD-4648 |
Fixed issue with custom image sets relating to long image file name |
PD-4663 |
Improved error handling for SDN controller inputs |
PD-4693 |
Fixed issue with SDN Adaptive scheduling |
PD-4704 |
Fixed issue with special characters in PSK for IPSec configuration |
PD-4710 |
Fixed RESTful API command for modrs relating to IPv6 |
PD-4712 |
Fixed issue with removal of certificates in relation to other VS |
PD-4802 |
Fixed SDN display on WUI |
PD-4828 |
Improved security in backup |
PD-4855 |
Improved SDN security |
PD-4884 |
Fixed issue with GEO partners and HA |
PD-4917 |
Fixed issue with home page graphs on 32bit systems |
PD-4954 |
Fixed issue with statistics showing adaptive value for RS |
PD-4969 |
Fixed issue with adaptive agent creating templates |
PD-5022 |
Improved WAF rules installation efficiency |
PD-5062 |
Improved security in SSO manager logs |
PD-5119 |
Improved stability for SSO manager |
PD-3703 |
Fixed an issue relating to the domain\username format when the Logon Format is set to Username in an SSO domain. |
PD-4632 |
Fixed issues relating to the SDN logs date picker. |
PD-5124 |
Fixed an issue relating to persistence and SubVSes. |
14.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-3324 |
In some situations, R320s are not failing over correctly. |
PD-3567 |
No gratuitous ARP is sent on IPv4 when using IPv6 and additional addresses. |
PD-3642 |
Statistics are not updating correctly when using GEO and weighted round robin scheduling. |
PD-5251 |
Some of the fields on the GEO Miscellaneous Params screen cannot be set using the WUI. Most of these fields can be set using the API as a workaround. |
PD-4350 |
There is an issue with setting some RADIUS fields in the WUI in some scenarios. |
15 Release 7.1-26c
Refer to the sections below for details about firmware version 7.1-26c. This was released on 20th May 2015.
15.1 Issues Resolved
PD-4666 |
Fixed an issue relating to the Single Sign On (SSO) domain configuration |
PD-4916 |
Fixes implemented which enhance the IRQ balancing for LoadMaster appliances |
15.2 7.1-26c - Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
16 Release 7.1-26
Refer to the sections below for details about firmware version 7.1-26. This was released on 1st May 2015.
16.1 New Features
- A Moodle template has been released
- A VMware View 6 template has been released
- Qualified IPsec tunnelling with Microsoft SharePoint
- Enhancements made to the Software Defined Networking (SDN) adaptive add-on pack
16.2 Feature Enhancements
- Fixed an issue relating to Kerberos Constrained Delegation (KCD) working with the Web Application Firewall (WAF)
- Updated the copyright on the LoadMaster console and WUI screens.
- Added logging for Edge Security Pack (ESP) permitted group failures.
- Added an option to send SNMP traps form the shared IP address when in HA mode.
- Commands relating to add-ons have been added to the Java and PowerShell APIs.
- Commands relating to licensing have been added to the RESTful, PowerShell and Java APIs.
- IPsec tunnelling support has been added to the Application Program Interfaces (APIs)
- User management support has been added to the APIs
- Additional statistics support has been added to the APIs
- Expansion of RESTful API permissions
- Improvements made to the ping debug option.
- POST health check character limit increased
- Improved session management security
- Improved security on the Web User Interface (WUI)
- Improved security relating to cross-site request forgery
- Updated firmware to mitigate against CVE-2015-0204, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209 and CVE-2015-0288 vulnerabilities
16.3 Issues Resolved
PD-4285 |
Removed an invalid option (Port Following) from the SubVS screen. |
PD-4188 |
Improved Virtual Service statistic reporting. |
PD-4071 |
Fixed an issue which caused some connections to time out in certain scenarios. |
PD-3985 |
Improved security relating to ActiveSync logins. |
PD-3910 |
Fixed an issue which prevented temporary licenses from being applied to hardware LoadMasters. |
PD-3774 |
Fixed an issue with DNS health checking. |
PD-3681 |
Fixed an issue relating to the HTTP transfer encoding reaching the maximum character limit. |
PD-3567 |
Improved High Availability (HA) failover with IPv6. |
PD-4118 |
It is possible to import a certificate with a separate key file. |
PD-4212 |
Fixed an issue relating to X-Forwarded-For header injection. |
PD-4169 |
Fixed an issue relating to Real Server persistence. |
PD-4117 |
Fixed an issue which caused the LoadMaster to lock up in certain scenarios. |
PD-4061 |
Fixed an issue relating to Active Cookie persistence. |
PD-3610 |
Fixed an issue which caused the LoadMaster to reboot unexpectedly in certain scenarios. |
PD-4481 |
Fixed an issue which caused a LoadMaster HA unit to stop responding in a certain scenario. |
PD-3780 |
Vulnerability - Denial of Service Condition Credited to - Roberto Suggi Liverani and Paul Heneghan (CVE submitted) |
PD-3781 |
Vulnerability - Cross Site Request Forgery Credited to - Roberto Suggi Liverani and Paul Heneghan (CVE submitted) |
PD-4484 |
Fixed an issue which was causing the LoadMaster installation to fail on Fujitsu bare metal platforms. |
16.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-3324 |
In some situations, R320s are not failing over correctly. |
PD-3567 |
No gratuitous ARP is sent on IPv4 when using IPv6 and additional addresses. |
PD-3682 |
Virtual Service statistic details are incorrect in some situations. |
PD-3642 |
Statistics are not updating correctly when using GEO and weighted round robin scheduling. |
PD-3703 |
In some situations, the domain\username format is not working when the Logon Format is set to Username in an SSO domain. |
PD-4383 |
Per-SubVS Subnet Originating Requests are not working when using reencryption. |
PD-4516 |
Centaur processors are not supported. |
PD-4531 |
The LoadMaster is ignoring the per-service default gateway after the virtual IP address is changed. |
PD-4648 |
Images with long filenames are not working in custom SSO image sets. |
PD-4608 |
In certain scenarios, changing the global default gateway causes the WUI to become inaccessible. |
PD-4604 |
The Diagnostic Shell option in the LoadMaster console is inaccessible. |
17 Release 7.1-24b
Refer to the sections below for details about firmware version 7.1-24b. This was released on 3rd March 2015.
17.1 New Features
- Free LoadMaster product
17.2 Feature Enhancements
- Updated the version of BIND on the LoadMaster to 9.9.6-P1 to mitigate against the CVE-2014-8500 vulnerability.
17.3 Issues Resolved
PD-4042 |
Fixed an issue which caused FIPS LoadMasters to lose access to the Web User Interface (WUI) in certain situations. |
PD-3911 |
Fixed an issue which was causing the Web Application Firewall (WAF) to block content when set to Audit Only mode. |
PD-3330 |
Fixed an issue which caused the URL to be improperly encoded when using Form Based authentication. |
PD-3843 |
Fixed an issue where Web Application Firewall (WAF) rule updates caused the LoadMaster backup file size to increase. |
17.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-3156 |
Certain Kerberos ticket sizes cause connections to drop. |
PD-2586 |
Virtual IP detail statistics are incorrect. |
PD-1677 |
RSA config and node secret files cannot currently be uploaded to the LoadMaster using the RESTful API. |
PD-3681 |
Some valid regular expressions are causing a syntax error. |
PD-3333 |
Licensing requests can be delayed and can time out in certain scenarios. |
PD-4118 |
Importing a .pem certificate with a separate key file causes a missing key file error. As a workaround, combine the certificate and key into one file (by using the cat command) and upload the combined file. |
18 Release 7.1-24a
Refer to the sections below for details about firmware version 7.1-24a. This was released on 11th February 2015.
18.1 New Features
- VPN tunneling is supported
- The Log Insight add-on pack is installed on LoadMasters by default.
- The LoadMaster works with SafeNet Hardware Security Module (HSM) devices.
- The LoadMaster FIPS software supports OpenSSL v1.0.1e on the current FIPS card.
- OpenStack support added
18.2 Feature Enhancements
- There is no longer a need to reboot after disabling SSL renegotiation.
- The OpenSSL version on the LoadMaster has been updated to OpenSSL 1.0.1k.
- When an SSL Virtual Service thread limit is reached, the current connection count on all Virtual Services are displayed in the logs.
- The Netstat log includes the listening port, iptables, and NAT information.
- The LoadMaster for Azure shows the external IP address in the console after the setup is completed.
- The RESTful API command to add a Virtual Service has been improved.
18.3 Issues Resolved
PD-3843 |
Improved the stability of Web Application Firewall (WAF) updates. |
PD-3617 |
Fixed an issue where SubVSs maintained persistence even when they were down. |
PD-3530 |
The LoadMaster supports the download of EC certificates. |
PD-3037 |
Fixed an issue with the LoadMaster for Azure where the HA master unit was not recovering after a failure or reboot. |
PD-2859 |
Fixed an issue which was preventing some HA backups from being restored. |
PD-3773 |
Issues with using the preferred host HA option when WAF is enabled have been resolved. |
PD-3570 |
Hostname information has been added to LoadMaster backup files. |
PD-3467 |
Messaging relating to password security strength has been improved. |
PD-3404 |
Fixed an issue which prevented customers with Service Provider License Agreements (SPLA) from accessing the LoadMaster console. |
PD-3393 |
Fixed an issue which prevented Fully Qualified Domain Names (FQDNs) which started with a period (.) from being deleted. |
PD-3306 |
Fixed a routing issue relating to static routes. |
PD-3299 |
Fixed an issue which prevented users with usernames containing a comma (,) from being modified or deleted. |
PD-3260 |
Fixed an issue relating to storage of the home page statistic graphs. |
PD-3221 |
Fixed an issue relating to Edge Security Pack (ESP) passwords containing UTF8 characters. |
PD-3220 |
LoadMaster will continue handling traffic using the default Exchange image set, even when the Portuguese or French Canadian image sets are assigned during an upgrade from 7.1-16 to 7.1-24 or higher. |
PD-3187 |
Fixed an issue relating to the status display of Virtual Services with "redirect" SubVSs. |
PD-2992 |
Fixed an issue relating to CPU temperature statistics display. |
PD-3161 |
Fixed an issue with reverse SSL. |
PD-3176 |
Fixed an issue relating to the TLStype RESTful API parameter not being saved. |
PD-3160 |
Fixed an issue with the modmap RESTful API command. |
PD-3106 |
The Virtual Service status is updated correctly in the RESTful API when a Real Server is disabled. |
PD-3104 |
The addmap RESTful API command works in all scenarios. |
PD-3075 |
A superfluous error message, which displayed when setting the isolateips parameter using the ModifyFQDN command, has been removed. |
18.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-4042 |
In certain situations, upgrading a FIPS LoadMaster from version 7.0-10 to 7.1-24a causes the WUI to become inaccessible. This issue does not occur when installing 7.1-24a from an ISO image. |
PD-3156 |
Certain Kerberos ticket sizes cause connections to drop. |
PD-2586 |
Virtual IP detail statistics are incorrect. |
PD-1677 |
You cannot currently upload RSA config and node secret files to the LoadMaster using the RESTful API. However, it is possible using the WUI. |
PD-3681 |
Some valid regular expressions are causing a syntax error. |
PD-3333 |
Licensing requests can be delayed and can time out in certain scenarios. |
PD-3330 |
There is an issue relating to ESP and special characters in a URL. |
19 Release 7.1-22b
Refer to the sections below for details about firmware version 7.1-22b. This was released on 3rd December 2015.
19.1 Feature Enhancements
- Improved logs for SSL thread limit.
19.2 Issues Resolved
PD-3287 |
Fixed an issue with drain time where connections were being dropped without waiting for the drain time. |
PD-3338 |
Improved security on formatted Uniform Resource Identifiers (URI) attacks. |
PD-3051 |
Fixed an issue relating to routing and Server NAT when the packet filter is enabled. |
PD-2751 |
Issues with ActiveSync working with Exchange 2013 have been resolved. |
PD-3349 |
Issues relating to 4K SSL keys which caused some HTTPS Virtual Services to go offline have been resolved. |
19.3 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-2182 |
When Permitted Groups are set for ESP, users receive an incorrect credential prompt at the forms-based login when the LoadMaster contacts child domains for user authentication. |
PD-2586 |
Virtual IP detail statistics are incorrect. |
PD-221 |
Access to the LoadMaster WUI using an iPhone is not supported. |
PD-3161 |
Reverse SSL does not work correctly. |
PD-3160 |
There is a bug with the modmap RESTful API command. |
PD-3106 |
The Virtual Service status is not updated in the RESTful API when a Real Server is disabled. |
PD-3104 |
The addmap RESTful API command does not work when the Selection Criteria is set to Real Server Load. |
PD-3075 |
A superfluous error message appears when you attempt to set the isolateips parameter using the PowerShell ModifyFQDN command. |
PD-2992 |
The temperature on the Statistics screen only shows details for one CPU. |
PD-2893 |
It is possible to upload the same template again in the LoadMaster WUI. |
PD-1677 |
You cannot currently upload RSA config and node secret files to the LoadMaster using the RESTful API. However, it is possible using the WUI. |
20 Release 7.1-22
Refer to the sections below for details about firmware version 7.1-22. This was released on 25th November 2014.
20.1 New Features
- Web Application Firewall (WAF)
- New templates
- Web Application Firewall (WAF) API commands
- Template import using API
- New health check
- New Azure billing options
- Akamai add-on pack
20.2 Feature Enhancements
- The layout of the manage SSO domain screen has been improved.
- Virtual Service and Real Server status is available using API commands.
- Updated the time zone data for Russia.
- Add-ons are named based on the LoadMaster version they were made with.
- Cloud-based Virtual LoadMasters have a Web User Interface (WUI) certificate that matches their given FQDN.
- When blocking users - different logon styles for the same username are treated as the same user.
- Arbitrary WUI ports can be set using the Java API.
- Security enhancements have been made to GEO.
- Multiple Virtual Services with the same IP address can be added to the GEO Real Server Load Cluster Check.
- Updated the BIND version to 9.9.6-ESV to address CVE-1999-0662.
20.3 Issues Resolved
PD-2930 |
Fixed an issue with the "Always check persist" option. |
PD-2786 |
Fixed an issue where ESP logs could not be cleared. |
PD-2750 |
Fixed an issue where creating/editing a Layer 4 Virtual Service would cause connections to drop. |
PD-2719 |
Fixed memory issues on units with bonded interfaces. |
PD-2707 |
Stopped the LoadMaster from mangling UDP packets with a 0 checksum. |
PD-3086 |
Fixed an issue with "Use Address for Server NAT" and SubVSs. |
PD-2767 |
Allowed groups can use the principal name format to log in. |
PD-2557 |
RADIUS authentication should work with Microsoft (and other vendor-based) RADIUS servers. |
PD-3023 |
Fixed an issue with persistence and cookies. |
PD-2656 |
The RESTful API aclcontrol command uses correct user permissions. |
PD-2574 |
Issues (relating to ESP and ActiveSync) which were caused by passwords containing non-ASCII characters have been resolved. |
PD-2756 |
A number of GEO bugs have been fixed, for example GEO listens on the specified additional addresses when the Use for GEO option is enabled on the interface. |
PD-3199 |
Steps taken to mitigate the following security risk - CVE-2014-3566 ("POODLE") |
20.4 Known Issues
PD-11023 | A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-2182 |
When Permitted Groups are set for ESP, users receive an incorrect credential prompt at the forms-based login when the LoadMaster contacts child domains for user authentication. |
PD-2586 |
Virtual IP detail statistics are incorrect. |
PD-221 |
Access to the LoadMaster WUI using an iPhone is not supported. |
PD-2751 |
When using ActiveSync with form-based authentication, occasionally SSO domain connections are dropped. |
PD-3161 |
Reverse SSL does not work correctly. |
PD-3160 |
There is a bug with the modmap RESTful API command. |
PD-3106 |
The Virtual Service status is not updated in the RESTful API when a Real Server is disabled. |
PD-3104 |
The addmap RESTful API command does not work when the Selection Criteria is set to Real Server Load. |
PD-3075 |
A superfluous error message appears when you attempt to set the isolateips parameter using the PowerShell ModifyFQDN command. |
PD-2992 |
The temperature on the Statistics screen only shows details for one CPU. |
PD-2893 |
It is possible to upload the same template again in the LoadMaster WUI. |
PD-1677 |
You cannot currently upload RSA config and node secret files to the LoadMaster using the RESTful API. However, it is possible using the WUI. |
21 Release 7.1-20d
21.1 Feature Enhancements
- Changes made to allow the Virtual LoadMaster for Azure to be included in the Microsoft Gallery.
- Updates to firmware to mitigate the Shellshock vulnerability.
21.2 Known Issues
PD-11023 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. Further information can be found here: Mitigation For Remote Access Execution Vulnerability. |
PD-2182 |
When Permitted Groups are set for ESP, users receive an incorrect credential prompt at the forms-based login when the LoadMaster contacts child domains for user authentication. |
PD-2586 |
Virtual IP detail statistics are incorrect. |
PD-2656 |
The RESTful API aclcontrol command does not have proper user permissions. |
PD-221 |
Access to the LoadMaster WUI using an iPhone is not supported. |
PD-2574 |
Issues with ESP and ActiveSync if the password contains certain non-ASCII characters. |
PD-2751 |
When using ActiveSync with form-based authentication, occasionally SSO domain connections are dropped. |
PD-2750 |
Occasionally some active Layer 4 Virtual Service connections are dropped when another Layer 4 Virtual Service is created or modified. |
22 Release 7.1-20a
22.1 New Features
- New add-on pack to integrate the LoadMaster with VMware vCenter Log Insight.
- New templates to leverage the new Log Insight add-on.
- Support for a new bare metal platform: Fujitsu Primergy.
- Support for Kerberos Constrained Delegation (KCD)
- The ability to designate GEO listening interfaces.
- The ability to use multiple interfaces to listen for GEO requests.
- GEO API commands have been added.
- Web Application Firewall (WAF) - beta release.
22.2 Feature Enhancements
- The OpenSSL version has been upgraded to 1.0.1i.
- The strength of DHE exchange keys for SSL/TLS has been increased.
- A new Domain/Realm field has been added to the Manage SSO screen.
- The certificate used by the WUI will take the public name used by Azure/AWS.
- Implemented new Azure requirements
22.3 Issues Resolved
PD-2267 |
Fixed an issue with the LoadMaster logging process which, in some circumstances, may lead to excessive wear of our Solid State Drives (SSDs) |
PD-2648 |
Fixed a memory issue relating to the SSO manager. |
PD-2380 |
Changed the log level of successful backup notifications. |
PD-2598 |
Fixed an issue with permanent ESP cookies and SubVSs. |
PD-2559 |
Fixed an issue where an SSL Virtual Service might crash. |
PD-2485 |
Made the 100-Continue options clearer in the Web User Interface (WUI). |
PD-1728 |
Fixed an issue with terminal service persistence not being set correctly. |
PD-1717 |
Fixed an issue where changing an interface address would cause an additional address to stop working until the LoadMaster was rebooted. |
PD-2349 |
Reworked the re-encrypt Via header to send HTTPS information. |
PD-2252 |
Fixed an issue where non-checked interfaces did not send Gratuitous ARPs. |
PD-2341 |
Fixed an issue where SNMP did not report the correct status for SubVSs. |
PD-2466 |
Fixed an issue where some HA statistic settings would revert to their previous value. |
PD-2310 |
ESP for SMTP can handle Extended SMTP (ESMTP) chunking. |
PD-2481 |
Fixed a memory issue relating to wildcard Virtual Services. |
PD-2508 |
Fixed an issue where ESP groups had access to other Virtual Services with the same domain. |
PD-2560 |
Enhanced the IMAP health check to make it more RFC compliant. |
PD-2641 |
Increased the strength of the WUI SSL ciphers. |
PD-2645 |
Fixed an issue where statistics were not being refreshed at a proper interval. |
PD-2544 |
GEO wildcard FQDNs are editable. |
PD-2536 |
The Allow Administrative WUI Access option is working correctly on the HA shared IP address of additional interfaces. |
PD-2253 |
Memory issue relating to the HA active unit has been fixed. |
PD-2101 |
Fixed an issue where Azure LoadMasters were not starting after a reboot. |
PD-2707 |
Fixed an issue where a 0 checksum UDP packet received from a client was blocked. |
PD-2887 |
The Subject Alternative Name (SAN) in the certificate is used as part of authentication. |
PD-2897 |
Memory issues with bonded interfaces have been resolved |
22.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- When Permitted Groups are set for ESP, users receive an incorrect credential prompt at the forms-based login when the LoadMaster contacts child domains for user authentication.
- Virtual IP detail statistics are incorrect.
- The RESTful API aclcontrol command does not have proper user permissions.
- Access to the LoadMaster WUI using an iPhone is not supported.
- Issues with ESP and ActiveSync if the password contains certain non-ASCII characters.
- When using ActiveSync with form-based authentication, occasionally SSO domain connections are dropped.
- Occasionally some active Layer 4 Virtual Service connections are dropped when another Layer 4 Virtual Service is created or modified.
23 Release 7.1-18b
23.1 New Features
- VMware vCenter Operations Management Pack released
- Azure High Availability (HA) enhancements
- Azure HA mode health check
- Azure HA mode remote synchronization
- Azure HA mode WUI changes
- New GEO features which allow failover and isolates public/private sites. Also, two GEO selection criteria options have been renamed to more appropriately reflect their functions (Location Based has been renamed to Proximity and Regional has been renamed to Location Based).
- Added Hyper-V Tools support
- New Reencryption SNI Hostname option
23.2 Feature Enhancements
- The Exchange 2013 templates have been updated to reflect Exchange 2013 SP1
- The LoadMaster will pass the host header of HTTPS 1.1 health checks as the server name for Server Name Indication (SNI)
- It is possible to enable Web User Interface (WUI) access on multiple interfaces
- Updated firmware to mitigate against CVE-2014-5287 and CVE-2014-5288 vulnerabilities. Credited to - Roberto Suggi Liverani
23.3 Issues Resolved
PD-2270 |
Fixed an issue with AWS where a reboot was required after licensing |
PD-2292 |
Fixed an issue with L7 transparency and latency on VMware systems |
PD-2407 |
Fixed an issue where certain persistence modes were not selectable in the Web User Interface (WUI) |
PD-2421 |
Stopped the LoadMaster OS from panicking on VMware Workstation |
PD-2445 |
Fixed an issue that would cause a UDP Virtual Service to not work if a TCP Virtual Service existed using the same IP and port combination |
PD-2365 |
Improvements have been made to the LoadMaster for AWS in relation to Amazon's policies |
PD-2183 |
Functions have been added to sanitize input in the WUI to resolve some security issues - fix for CVE-2014-5287 and CVE-2014-5288 |
PD-2205 |
Added new allowed HTTP methods to enable Remote Desktop Services on Windows 8.1 |
PD-2131 |
Fixed an issue in Layer 7 UDP services which could have caused the LoadMaster to reboot |
PD-2120 |
Resolved some issues with Layer 4 FTP |
PD-2082 |
SSO configuration is included in automatic configuration backups |
PD-1939 |
SSO configuration is included in manual configuration backups |
PD-2065 |
A new ESP option called Use Session or Permanent Cookies was added which must be set to a permanent cookies option for SharePoint to work correctly with ESP |
PD-2043 |
Increased the maximum number of characters in the RESTful API ciphers parameter to 1023 |
PD-1989 |
The underscore character is allowed in the Logoff String field in the ESP options |
PD-1984 |
Removed spurious log messages relating to locked users |
PD-1972 |
Fixed an issue where per-Virtual Service subnet originating addressing was not working when SSL re-encryption was enabled |
PD-1958 |
Added the Additional Headers field in scenarios where it should be displayed but was previously hidden |
PD-1952 |
Fixed an issue where adding a space in the Test User Password field for an SSO domain would cause problems for other fields |
PD-1936 |
HTTP POST health checks send complete information to the Real Server |
PD-1935 |
Fixed an issue where a deleted Virtual Service caused spurious messages in the WUI |
PD-1932 |
Fixed an issue where ESP could reject valid requests |
PD-1857 |
Restructured the Exchange templates |
PD-1849 |
Backslashes are allowed in the Test User field for LDAP SSO domains |
PD-1941 |
Removed unnecessary options for GEO cluster synchronization |
PD-2309 |
Fixed an issue where websites behind the LoadMaster were responding slowly when caching and compression was enabled |
PD-2275 |
Increased thread count to improve throughput |
PD-2474 |
For a SubVS, the HTTP/HTTPS decision is based on the parent Virtual Service settings |
23.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- GEO health check intervals do not match the settings configured
- The RESTful API command to set the SNMP client only supports IP addresses and not host names (the WUI option supports both)
- Editing an IPv4 address will cause IPv6 addresses to stop responding until a reboot
- There is no option using the RESTful API interface to upload a configuration and node secret file for RSA settings (this can be done using the WUI)
- The RESTful API command to set the NTP host does not allow a URL to be set
24 Release 7.1-16b
24.1 New Features
- Support added for Amazon Web Services (AWS)
24.2 Issues Resolved
PD-2123 |
Remediation for SSL/TLS MITM vulnerability (CVE-2014-0224) - updated OpenSSL version to 1.0.1h |
24.3 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Changing an IPv4 address causes problems with IPv6
- Issues are experienced when polling the LoadMaster with SNMP when the Default Gateway is on a different interface
- Access to the LoadMaster WUI using iPhones is not supported.
- The Real Servers are Local option is not working as expected
25 Release 7.1-16
25.1 New Features
- A new subscription-based online licensing model for the LoadMaster has been implemented
- Full support for UDP at Layer 7
- UDP Layer 7 persistence
- The LoadMaster Operating System is running on Linux kernel 3.10.28
- Added the ability to duplicate a Virtual Service which has SubVSs
25.2 Feature Enhancements
- Added the ability to use a semi-colon in the SNMP Location text box
- When ESP is not enabled on any Virtual Service for a particular SSO domain, the SSO domain can be deleted
- Added support for the HTTP method "report"
- When an SSO image set is updated, changes are updated automatically
- Error codes for RESTful API have been updated - missing REST objects return a 404 error and others return 200 plus an error code
- RESTful API GET responses are consistent with the corresponding SET commands
- Websocket connections are supported
- A new option has been added to the Always Check Persist field which allows the saving of persistence changes mid-connection
- Templates allow the re-use of Services which have Content Rules
- Users can specify an alternate port for LDAP servers
25.3 Issues Resolved
PD-1746 |
Fixed an issue where the Statistics could report a negative value for compression |
PD-1704 |
Fixed an issue where the Web User Interface (WUI) would allow more than 510 extra ports in a Virtual Service |
PD-1678 |
Some security vulnerabilities have been addressed |
PD-1676 |
Fixed an issue with disabling a Real Server with a domain name |
PD-1430 |
Users can use sorry servers with a Virtual Service that has SSL re-encryption enabled |
25.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Changing an IPv4 address causes problems with IPv6
- Issues are experienced when polling the LoadMaster with SNMP when the Default Gateway is on a different interface
- Access to the LoadMaster WUI using iPhones is not supported.
- The Real Servers are Local option is not working as expected
26 Release 7.0-14c
26.1 Issues Resolved
PD-1754 |
The OpenSSL version has been upgraded to version 1.0.1g, which is not vulnerable to the HeartBleed bug |
PD-1702 |
Fixed an issue with multiple Virtual Services using group permissions and the same SSO domain |
PD-1705 |
Issue with High Availability (HA) bonding has been resolved |
PD-1706 |
Enabling ESP on an SMTP service will no longer display a spurious error message |
PD-1709 |
Issues with the LDAPS and LDAP StartTLS authentication protocols and SSO server have been resolved |
PD-1714 |
ESP-enabled SMTP services correctly pass traffic |
26.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Hyper-V Virtual LoadMaster (VLM) NIC alternate IP address settings do not set properly until the machine is rebooted
- When switching to HA mode from a single unit, changing the local IP when setting up HA results in loss of connectivity to the WUI
- Users may appear multiple times in the blocked user list
- Access to the LoadMaster WUI using iPhones is not supported.
- Cannot install Exchange Virtual Services from a template if existing Virtual Services have been created from a template
27 Release 7.0-14a
27.1 New Features
- Support for RSA multi-factor authentication
27.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Hyper-V Virtual LoadMaster (VLM) NIC alternate IP address settings do not set properly until the machine is rebooted
- When switching to HA mode from a single unit, changing the local IP when setting up HA results in loss of connectivity to the WUI
- Users may appear multiple times in the blocked user list
- Access to the LoadMaster WUI using iPhones is not supported.
- Cannot install Exchange Virtual Services from a template if existing Virtual Services have been created from a template
28 Release 7.0-14
28.1 New Features
- Online checking for software updates
- Support has been implemented for add-on packages
- VMware Tools support
- Support for Edge Security Pack (ESP) phase 2:
- Customizable login forms
- Public/private options for ESP login form
- Support soft lock out for users
- Additional workloads are supported with ESP
- RADIUS is an option for the authentication server
- LoadMaster for Amazon Web Services (AWS)
- Templates for VMware Horizon Workspace are available
28.2 Feature Enhancements
- More information is provided when resetting your password using the local console
- The legacy heartbeat option is hidden in the Web User Interface (WUI)
- Wildcard certificate matches are presented in an SNI configuration
28.3 Issues Resolved
PD-890 |
Issue with using non-alphanumeric characters in automated backup passwords has been resolved |
PD-1200 |
Issue with setting a large cache percentage on high memory LoadMasters has been resolved |
PD-1284 |
Issue with statistics when disabling a Real Server has been resolved |
PD-1498 |
Issue where using preferred host in HA can cause both units to become standby has been resolved |
PD-1404 |
SubVSs honor the "Use for SNAT" setting |
PD-1452 |
Restoring backups to inappropriate devices is prevented, for example restoring a HA backup on a single system |
PD-1539 |
Resolved several minor HA-related issues |
PD-1206 |
Resolved issue related to SNMP and SubVSs |
28.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Hyper-V Virtual LoadMaster (VLM) NIC alternate IP address settings do not set properly until the machine is rebooted
- When switching to HA mode from a single unit, changing the local IP when setting up HA results in loss of connectivity to the WUI
- The unblock locked user function may not work in all browsers (there are problems in Chrome and Internet Explorer)
- Users may appear multiple times in the blocked user list
- Access to the LoadMaster WUI using iPhones is not supported.
- Cannot install Exchange Virtual Services from a template if existing Virtual Services have been created from a template
29 Release 7.0-12a
The LM-2500 and LM-3500 are not supported from LoadMaster version 7.0-12a and above. Support for these models, and FIPS models, is offered at version 7.0-10 and below.
29.1 New Features
- SSL Performance Optimizations
- Support for Oracle Sun x86 servers
- Support for HP ProLiant servers
- Support for VMware vSphere 5.5
- Licensing functionality within LoadMaster has been enhanced including the display of the license related information on the LoadMaster WUI home screen and various enhancements to the Automated Licensing Support Infrastructure.
- Windows 2012 R2 Hyper-V Virtual LoadMaster (VLM)
- Idle and session timeout can be set and it is possible to switch between idle and session timeout
29.2 Feature Enhancements
- Additional commands and functionality have been added to the RESTful API
- Additional licensing information has been added to the backup file
29.3 Issues Resolved
PD-797 |
Issue with the Packet Routing Filter after upgrading licenses has been resolved |
PD-839 |
Improved Layer 4 handling of configuration changes enhancing the generation of SNMP traps has been added |
PD-934 |
Issue with sharing persistency across SubVSs has been resolved |
PD-1023 |
High-Availability failover issue when adding high number of interfaces has been resolved |
PD-1043 |
Issue with Access Control Lists and IPv6 has been resolved |
PD-1070 |
The HA 'Forced Switchover' functionality has been removed |
PD-1089 |
Issue with the Use Address for Server NAT option in new servers has been resolved |
PD-1094 |
Issue with using the RESTful API to create a Virtual Service using Adaptive Scheduling has been resolved |
PD-452 |
Issue with VLAN trunking on Hyper-V VLMs has been resolved |
PD-1174 |
Security vulnerability (CVE-2004-0230) resolved. This vulnerability may still be reported after running a security test but this is because the test checks the kernel version. The fix has been backported into the LoadMaster but the kernel version has not been updated which is why the vulnerability is still reported even though it does not exist. |
PD-1144 |
ESP issue with publishing a calendar in Exchange 2013 has been resolved |
29.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Access to the LoadMaster WUI using iPhones is not supported.
- The Netconsole IP is not applied immediately to both units of a HA pair
- Automated FTP backups must not contain special characters.
- Cannot immediately set the shared and partner IP addresses for HA if the IP address has been only obtained from DHCP. A workaround for this is to set the IP address again.
- A reboot is required if you add IPv6 as an alternative address, create an IPv6 Virtual Service and then create an Access Control List. The reboot is required before entries can be added to the Access Control List.
- On a GEO LM, it is not possible to specify an alternate address on an interface to receive DNS requests.
- Within a Virtual LoadMaster, the alternative NIC IP address settings are not being picked up until the machine is rebooted.
30 Release 7.0-10i
30.1 Issues Resolved
PD-3643 |
Cipher list restricted to RC4-SHA to mitigate against POODLE vulnerabilities. |
30.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically.
31 Release 7.0-10h
31.1 Issues Resolved
PD-3146 |
Steps taken to mitigate the following security risk - CVE-2014-3566 ("POODLE"). |
PD-3201 |
Added the option to disable weak SSL ciphers. |
31.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
32 Release 7.0-10g
32.1 Issues Resolved
PD-2976 |
Steps taken to mitigate the following security risks - CVE-2014-6271 and CVE-2014-7169. |
32.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
33 Release 7.0-10f
33.1 Issues Resolved
PD-2274 |
Fixed an issue with the LoadMaster logging process which, in some circumstances, may lead to excessive wear of our Solid State Drives (SSDs) |
PD-2376 |
Added functions to sanitize input in the Web User Interface (WUI) to improve security - fix for CVE-2014-5287 and CVE-2014-5288 |
33.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
34 Release 7.0-10e
34.1 Issues Resolved
PD-2123 |
Security fix for CVE-2014-0224 |
34.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
35 Release 7.0-10d
35.1 Issues Resolved
PD-1413 |
Security fix for CVE-2004-0230 |
PD-1487 |
Security fix for XSS attack on ESP |
PD-1617 |
Driver update: ixgbe drivers have been updated to version 3.18.7 |
PD-1925 |
Fixed an issue where setting up an HA standby unit could cause service interruption in certain cases |
PD-1931 |
Fixed an issue to prevent spurious log messages appearing |
PD-1965 |
Fixed a potential issue where logging into an ESP Virtual Service would be blocked |
35.2 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
36 Release 7.0-10
36.1 New Features
- Lync 2013 Templates
- Windows 2012 Hyper-V Virtual LoadMaster (VLM)
- Windows 8 Hyper-V Virtual LoadMaster (VLM)
36.2 Feature Enhancements
- Additional commands have been added to the RESTful API
- A hyperlink within the WUI opens a WUI connection to the other unit within a HA pair
- Enhancements to the ALSI have been implemented
- Statistics collection is configurable
- 'Sorry Server' is available for UDP services
36.3 Issues Resolved
PD-536 |
Issue with disabling Real Servers has been resolved |
PD-537 |
Issue with RADIUS authorization when not in session mode has been resolved |
PD-544 |
Minor inconsistencies with the display of real server statistics has been resolved |
PD-557 |
Issue with L7 Drain Time has been resolved |
PD-570 |
Added a limit to the size of the files that can be compressed |
PD-643 |
The HTTP 1.1 PATCH method is supported |
PD-645 |
Issue in handling 'SuperHTTP or Source IP Address' persistence method has been resolved |
PD-769 |
Inconsistency in visibility of Add HTTP Headers field has been resolved |
PD-774 |
Issue with configuring UDP 'Sorry Server' has been resolved |
PD-785 |
Issue with use of special characters in the SSO Greeting Message has been resolved |
PD-787 |
Issue with Perform if Flag functionality has been resolved |
PD-790 |
Issue with supporting TLS 1.0 for LoadMaster initiated connections has been resolved |
PD-791 |
Issue with port numbers in returned SNMP values has been resolved |
36.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Trunked VLANs are not permitted on Hyper-V VLMs.
- Automated FTP backups must not contain special characters.
- Access to the LoadMaster WUI using iPhones is not supported.
- Intermittent issue with encryption ASIC driver under atypical conditions.
- The HA 'Force Switchover' button behaves erratically
37 Release 7.0-8e
37.1 Feature Enhancements
- Automated Licensing and Support Infrastructure (ALSI) Enhancements
37.2 Issues Resolved
PD-675 |
Corrected available TLS cipher suite for LM-5305-FIPS |
PD-708 |
SSL Re-encrypt works properly on LM-5305-FIPS |
PD-700 |
Fixed reboot issue when changing service types |
PD-739 |
Additional special characters are allowed in SSO passwords |
PD-758 |
Fixed issue where the initial SSO login would not properly pass query string to the server |
PD-581 |
The " character is allowed in the SSO greeting message |
37.3 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Access to the LoadMaster WUI using iPhones is not supported.
- Warnings (which can be ignored) appear when deploying .ovf files.
- Intermittent issue with encryption ASIC driver under atypical conditions
- Update issues with Real Server statistics
- Intermittent issue with disabling Real Servers
- The HA 'Force Switchover' button behaves erratically
38 Release 7.0-8a
38.1 Feature Enhancements
- Automated Licensing and Support Infrastructure Enhancements
38.2 Issues Resolved
PD-415 |
Issue with SSOMGR has been resolved |
38.3 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Access to the LoadMaster WUI using iPhones is not supported.
- Warnings (which can be ignored) appear when deploying .ovf files.
- Intermittent issue with encryption ASIC driver under atypical conditions
- Update issues with Real Server statistics
- Intermittent issue with disabling Real Servers
- Cannot enter the " character in the SSO Greeting Message
- The HA 'Force Switchover' button behaves erratically
39 Release 7.0-8
39.1 New Features
- Automated Licensing and Support Infrastructure
- Cisco UCS C Series Support
- Geo Server Load Balancer Feature Pack
- New Virtual LoadMaster Products
39.2 Feature Enhancements
- Configurable login format for ESP
39.3 Issues Resolved
PD-154 |
Additional characters supported in SNMP community strings |
PD-188 |
Quicksetup help auto-popup issue resolved in the CLI. |
PD-327 |
Compression issue with short content lengths resolved. |
PD-335 |
Issue with simultaneous use of SNMP and 'Drop on Fail' has been corrected |
PD-336 |
Issue with LoadMaster Config viewer is resolved |
PD-341 |
Issue with accessing the WUI while using software FIPS is resolved |
PD-386 |
Can connect to Virtual Services, with persistence enabled, during connection drain time. |
PD-389 |
Minor issues with the Exchange Wizard have been resolved |
PD-393 |
HA issue when creating VLANs under load is resolved. |
PD-401 |
Issue with ESP logs is resolved |
PD-414 |
Issue with weighting of SubVS has been resolved |
PD-437 |
Issue with forwarding emails containing the licensing blob is resolved |
PD-446 |
Issue with LoadMaster 2200 under high load resolved. |
PD-449 |
Resolved Certificate Manager issue in configurations with large number of Virtual Services. |
PD-550 |
mail_util.php is included in srcfiles. |
39.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Access to the LoadMaster WUI using iPhones is not supported.
- Warnings (which can be ignored) appear when deploying .ovf files.
- Intermittent issue with encryption ASIC driver under atypical conditions
- Update issues with Real Server statistics
- Intermittent issue with disabling Real Servers
- Cannot enter the " character in the SSO Greeting Message
- The HA 'Force Switchover' button behaves erratically
- Rare segfault with SSOMGR under atypical conditions
40 Release 7.0-6
40.1 New Features
- Quickstart Wizard - Exchange 2010
- RESTful API v.2.0
- Cisco UCS B Series Support
- Call Home - Phase 1
40.2 Feature Enhancements
- After installing or replacing a certificate, there is an option to return to the Virtual Service page
- Quality of Service functionality is configurable within Virtual Services
- The image sets for the ESP login screens support a number of different languages
- The character limit within the Message of the Day has been increased
- When applying a temporary license, feedback is provided if a temporary license has already been applied
- The traceroute and netstat utilities are available debug options
- Bulk disabling of Real Servers is possible
- L7 Transparency is available for selection within a SubVS when the parent Virtual Service uses SSL Acceleration with re-encryption enabled.
40.3 Issues Resolved
PD-371, PD370 |
Issues configuring eth0 on a 64 bit LoadMaster have been resolved |
PD-293 |
Removed restriction on creating a VLAN with an identifier of 1 |
PD-270 |
Issue with deleting VSs in a state of Security Down is resolved |
PD-263 |
Issue with HA time out values resolved |
PD-257 |
Issue with Health Checks on ESP enabled Virtual Services have been resolved |
PD-247 |
To conserve CPU, gathering statistics is restricted to the items displayed on the Home page, unless specified in the Collect All WUI option |
PD-246 |
Issue with Port Following is resolved |
PD-231 |
ACLs working as expected when Virtual Services are set to additional ports |
PD-230 |
Initial maximum cache size on LoadMaster for UCS is within the valid range |
PD-188 |
Within the LoadMaster console, an inappropriate call of Quick Help has been resolved |
PD-157 |
Can configure shared interfaces in the HA setup process before rebooting |
PD-140 |
A failed adaptive health check disables the Real Server |
PD-205 |
SNORT 2.9 rules imports correctly |
40.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- A page is not delivered when using compression and http content-length is 0 bytes
- Issues may occur with SNMP traffic when the Drop at Drain Time End option is enabled
41 Release 7.0-4
41.1 New Features
- Edge Security Pack: A range of new security features has been added to the LoadMaster.
- The LoadMaster supports the creation and management of SubVSs.
- There is a new dashboard home screen with the capability to display graphical performance information.
- A new license format has been introduced
- A new VLM package, to support VLM installation within an Oracle VirtualBox environment is available
41.2 Feature Enhancements
- MIB files have been updated
- SID and revision information included in IPS logging
- VLAN Separation per Interface
- Support for larger TCP window sizes
- 'Kill switch' is supported on all LoadMaster versions
- LM-R320 has its serial number visible on the WUI
- The Netconsole Host interface is configurable using the WUI
41.3 Issues Resolved
1850 |
Issue with SMTP STARTTLS when a client sends an EHLO is resolved |
2325 |
Issue with ACL whitelist allowing other IPs is resolved |
2584 |
Issue with switching VS types under load is resolved |
2669, 2556 |
Some reboot issues have been resolved |
2657 |
An issue with caching on Firefox has been resolved |
2788 |
The "-" character is allowed in the DNS Search Domain field |
2598 |
Issues with the MIBS have been resolved |
2675 |
A circular routing problem has been resolved |
2278 |
SNMP trap Source IP has been changed to pre 5.1-48 behaviour |
2328 |
SSL renegotiation can be toggled on/off |
2528 |
SSLv2 is no longer used for LoadMaster initiated SSL connections |
2578 |
An issue with Not Available Redirection XSS has been resolved |
2599 |
The Default IP is displayed on the WUI when DHCP fails |
2390 |
An issue with VS Specific insert X-Clientside header being overwritten by system default has been resolved |
2475 |
The "-" character is allowed in the User Login field |
2529 |
An issue with the Fail on Match functionality has been resolved |
2671 |
An issue with Maximum Cache Size has been resolved |
41.4 Known Issues
-
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.
- Quick setup Help appears automatically if no IP address is configured on the LM if a VLAN is configured on eth0 and no IP address is assigned to the underlying interface (eth0)
Last Updated Date
This document was last updated on 08 December 2020.