Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager 7.2.56.2 Release Notes (GA)

ECS Connection Manager Version 7.2.56.2 is a security update to the ECS Connection Manager General Availability (GA) branch made available on 25 April 2022. Please read the sections below before upgrading to this release.   

Contents

 

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this ECS Connection Manager release.

Generation of 4096-bit DHE Key

During an upgrade to this version of ECS Connection Manager from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller ECS Connection Manager, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In version 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve ECS Connection Manager security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the ECS Connection Manager 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of ECS Connection Manager is supported on the Hardware and Virtual models shown in the first three columns of the table below. 

Supported Virtual Models Supported Hardware Models

ECS Connection Manager VM1

ECS Connection Manager VM2

ECS-H1

ECS-H2

ECS-H3

ECS-H3M

ECS-H3-25G

ECS-H3-40G

ECS-H3-100G

 

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in version 7.2.50.0 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.

Note that:

  • In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with the 7.2.53.0 release; if upgrading from firmware 7.2.51.0 and above you can use the XML file provided with this release. If upgrading from any other firmware version please read the release notes for that specific ECS Connection Manager firmware version.

Downgrading to Earlier Versions

Downgrading am ECS Connection Manager running 7.2.56.0 to 7.2.51.0 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading to version 7.2.50.0 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

Security Updates

CVE-2022-0778

This patch updates the default OpenSSL libraries to Version 1.1.1n to address the OpenSSL security vulnerability described in CVE-2022-0778. In summary, this exploit leverages an internal OpenSSL bug that can cause an infinite loop to occur when parsing certificates. As a result, parsing a client certificate with an elliptic curve public certificate (or a public certificate with explicit elliptic curve parameters) may trigger the infinite loop and thus a denial of service attack. Further details are in the vulnerability database entry at the link above.

Note that this patch does not update the earlier version of OpenSSL present on ECS Connection Manager (Version 1.0.2) to address CVE-2022-0778. This earlier OpenSSL version is used only when the Certificates & Security >SSL Options > OpenSSL Version parameter is set to Use older version. If this is set to Use current version (the default value), then OpenSSL 1.1.1 is used.

Fortunately, with OpenSSL 1.0.2, there is no vulnerability to this exploit during the SSL handshake because of the handshake design in OpenSSL 1.0.2. On Connection Manager, the vulnerability can only be exploited by an administrative Connection Manager user who installs a specially crafted certificate and public key, and therefore presents a much lower risk of exposure to this vulnerability. This issue will be addressed in a future release.  

Existing Known Issues

PD-20101

Network Telemetry: The 7.2.56.0 version of the Network Telemetry Add-on may not function after being enabled on one or more interfaces. Flow data will not be sent to the Flowmon Collector and the following message will appear repeatedly in the system log:

flowd: Monitor for interface 0 (pid xxxxx) died - exited with status 1

The workaround is to remove the 7.2.56.0 version of the add-on package and install the 7.2.55.0 version, using the controls on the System Configuration > System Administration > Update Firmware page. The add-on package can be downloaded from this web page

PD-19953 SNMPv2c Walk: When using SNMP Version 2c, the Walk command may not work, returning no data. The workaround is to enable the SNMPv3 check box in the SNMP configuration and then disable it. The Walk command should then work properly via SNMPv2c.
PD-19704 GEO Cluster Status: When adding a Cluster that is unavailable (DOWN) to a Site, the Site may reflect the Cluster's status as available (UP) for a short time before changing to DOWN.  
PD-19108

GEO: Modifying an FQDN entry displays a spurious error on the system console, similar to the one shown below. The FQDN is modified properly.

<FQDN>:794 Uncaught ReferenceError: disp_addrr_elements is not defined
    at <FQDN>:794
(anonymous) @ <FQDN>:794
PD-19093 GEO: Cannot configure GEO into partnering mode unless there is at least one FQDN already defined.
PD-18646 Certificate-Based Administrative Login: Using a certificate that does not have a SAN attribute (i.e., no Principal Name) results in a failed login attempt.
PD-18615 GEO: No statistics (queries per second, etc.) are displayed for a site if the FQDN is configured to use the "All Available" Selection Criteria.
PD-18099 Client Certificates: Authentication may be denied if multiple "Other names" are present in the client certificate.
PD-17927 LDAP UI Access: Under certain circumstances, a user that has no LDAP credentials can gain access to the UI.
PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDNs after the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15354 SSO Timeout: In LMOS 7.2.51.0, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to be closed.
PD-15294 ESP Verify Bearer Header: Connection Manager does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-13899 ACLs and Real Servers: Real Servers located on networks on which Connection Manager also has an IP address are always allowed to access Virtual Services on that network interface regardless of any access control list (ACL) settings on Connection Manager . For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492 Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354
PD-10466
Hardware Support: The Connection Manager models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a Connection Manager configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the Connection Manager for both WUI Authorization and ESP Authentication.
PD-11166 Networking: Azure Connection Manager is not translating the additional network address between the Master and Slave correctly.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917 HA: An issue exists when setting up a 2-armed HA Virtual Connection Manager in Azure.
PD-10784 HA: Configuring Connection Manager HA using eth1 on an Amazon Web Services (AWS) Virtual Connection Manager does not work.
PD-10490 WAF: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. This problem has been fixed.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159 Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136 Clustering: In a Connection Manager cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 


Comments