Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.54.2 Release Notes

LMOS Version 7.2.54.2 is a bug-fix release made available in November 2021. Please read the sections below before installing or upgrading to this GA release.

Contents

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this LMOS release.

Generation of 4096-bit DHE Key

During an upgrade to this version of LMOS from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In LMOS 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve LoadMaster security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the LMOS 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported
Virtual
Models
Supported
Hardware
Models
Supported Bare Metal Models UNSUPPORTED
Hardware

Models
UNSUPPORTED
Virtual

Models
VLM-200
VLM-500
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO
VLM-MAX
LM-X1
LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400
LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M
LM-R320

LMB-1G
LMB-2G
LMB-5G
LMB-10G
LMB-MAX
LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500

LM-Exchange
LM-GEO
VLM-100
VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50.0 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.

Note that:

  • In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with this release; if upgrading from firmware 7.2.51.0 / 7.2.48.3 and above you can use the XML file provided with this release. If upgrading from any other firmware version you must following the upgrade path detailed in Kemp LoadMaster Firmware Upgrade Path article.
  • LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to this release, you can verify the digital signatures offline using a manual process documented on the support website.

Downgrading to Earlier Versions

Downgrading a LoadMaster running LMOS 7.2.54.0 to LMOS 7.2.51.0 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading to LMOS 7.2.50.0 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

New Features

WAF: Clearing the False Positive Analysis Counters and Events

A Reset FPA Counters button has been added to the Web Application Firewall > False Positive Analysis page (which also clears the events table). If desired, the Download button at the top right of the Latest Events table can be used to download the current list of events before clearing.

Change Notices

AWS: Downgrade from LMOS 7.2.55.0

New deployments of LMOS 7.2.55.0 (and later versions) in the Amazon Web Services (AWS) cloud use the latest AWS Nitro-based machine instances, as described in the 7.2.55.0 Release Notes. Downgrade to an earlier LMOS version was not supported at the time of the 7.2.55.0 release. With the changes made in 7.2.54.2, LoadMasters deployed on an LMOS 7.2.55.0 AWS Nitro machine instance can be downgraded to 7.2.54.2 (and any later 54.x versions).

Security Updates

Console CLI Security Update

The system console has been updated to close vulnerabilities present in the CLI in previous releases that could allow an already authenticated user to obtain a privileged shell. The CVE identifier for this vulnerability is CVE-2021-41068.

Issues Resolved

PD-19129 WAF False Positive Analysis: Fixed an issue where a request is successfully blocked but the Anomaly Histogram does not show either the anomaly score or the rules triggered as a result. This issue has been fixed.
PD-19128 Real Servers Are Local Option: In previous releases, if the Real Servers Are Local option is enabled and a Virtual Service is configured for Layer 7, communication with local servers is broken if the VS has no content rules defined. This issue has been fixed.
PD-19005 ESP Post-Pass Authentication: Fixed a bug that broke the "Post-Pass" authentication method (and hence broke preauthentication for Citrix Workspace App deployments).
PD-19004 WAF: Fixed a bug that resulted in the counters for Top 10 Countries being reset when WAF is enabled/disabled and stop displaying data.
PD-18973 Logging - ESP CEF Format Logs: Fixed various issues that could cause incorrect information to be displayed in the ESP Common Event Format (CEF) format logs.
PD-18755 HTTP/2 Performance: Fixed issues related to clients that are accepting data slower than real servers are sending data that could negatively affect HTTP/2 performance.
PD-18754 Statistics for Client Limiting: Fixed an issue that resulted in no limiting statistics being displayed after activating "generate limiter statistics".
PD-18748

Access Control Lists (ACLs): In previous releases, an ACL entry that denies access to a Virtual Service would be ignored (and access allowed) under these conditions:

  • the VS uses port 443
  • the VS is assigned an IP that is located on a network interface on which the User Interface (UI) is not running

This issue has been fixed.

PD-18722 HTTPS Virtual Services: In previous releases, users become unable to connect to an HTTPS Virtual Service and messages like this appear in the LoadMaster log: "kernel: L7: Error binding socket -98.". This issue has been fixed.
PD-18702 WAF: Fixed issues that could cause a segmentation fault or reboot when the WAF configuration is modified while there is traffic passing through the WAF engine.
PD-18701 WAF: Fixed a bug that caused response rules to not be processed properly, resulting in WAF not blocking attacks that should have been blocked.
PD-18605 Statistics for Client Limiting: Fixed an issue that resulted in no limiting statistics being displayed after activating "generate limiter statistics".
PD-18464 Statistics for Client Limiting: Fixed an issue that resulted in no limiting statistics being displayed after activating "generate limiter statistics".

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-18099 Client Certificates: Authentication may be denied if multiple "Other names" are present in the client certificate.
PD-18028 Client Certificates: Under certain circumstances, a user with a valid certificate is incorrectly denied access; adding the email address of the user to the CN field causes login to succeed.
PD-18021 Content Rule UI: Display is incorrect when the 'Ignore case' option is enabled.
PD-17934 Client Limiting: An internal error can cause client limiting to be incorrectly applied; e.g., log messages may indicate that limiting is being applied, removed, and applied again within a period of time that is shorter than the period set by the user.
PD-17933 ESP: When ESP sends data, it sets the Set-Cookie header without a samesite parameter, which causes some browsers to interpret this as "samesite=lax" and possibly refuse to deliver content.
PD-17927 LDAP UI Access: Under certain circumstances, a user that has no LDAP credentials can gain access to the UI.
PD-17867 Historical Graphs: Under certain circumstances, graphs for VLANs and Bonded Interfaces may no longer appear in the UI after upgrade to 7.2.53.
PD-16140 GEO: TXT records are blank after 1024 IP addresses are added to an FQDN.
PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDN safter the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15354 SSO Timeout: In LMOS 7.2.51.0, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to actually be closed.
PD-15294 ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-13899 ACLs and Real Servers: Real Servers located on networks on which LoadMaster also has an IP address are always allowed to access Virtual Services configured to use ports 22 (SSH), 25 (SMTP), 53 (DNS), 161 (SNMP), and 443(UI). Any access control list (ACL) settings on LoadMaster will be ignored for these Real Servers. For Layer 7 services, this issue can be worked around using Content Rules. The only workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492 Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354
PD-10466
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-12058 Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.
PD-11166 Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917 HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.
PD-10784 HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159 Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136 Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

Was this article helpful?
0 out of 0 found this helpful

Comments