Managed WAF Release notes

Alert Logic Managed Web Application Firewall (WAF) release notes

Alert Logic supports the current version and the last two minor versions. For example, 4.5.1.0 is two versions behind 4.5.3.0, and an appliance running version 4.5.0.0 is unsupported.

Alert Logic does not automatically push new versions to customers, and an upgrade may be required if you need support on an older appliance.

Release date: August 14, 2018 Version 4.5.5.1-1683

Features

Improved OS commanding detection

Bug fixes

Proxy would improperly block certain OS commanding violations with HTTP 500 errors regardless of policy setting

Release date: August 7, 2018 Version 4.5.5.0-1668

Features

  • Clean up orphaned package management transaction files
  • Improve deny log rotation performance
  • Reduce alarm flapping
  • Log the offending part of abnormally large payloads
  • Watchdog enhancements
  • Enable "Accept underscore characters in request headers" by default
  • Allow certain alarm conditions to automatically clear when the alarm condition is no longer present
  • Normalize and de-duplicate virtual host aliases to lowercase
  • Allow optional port numbers in X-Forwarded-For header parsing
  • Add configurable back-off period for auto-clearing alarms
  • Improved OS Commanding detection
  • Updated signature content
  • Add Drupal signature as a custom signature to new proxies
  • AWS Enhanced Networking Adapter foundational support, pending AMI release
  • Improve cluster synchronization resilience to network errors

Bug fixes

  • Passive WAF logged proxy IP instead of trusted X-Forwarded-For IP in some circumstances
  • Error saving intermediate certificate when "Validate certificate chain" is enabled
  • Strip request headers entirely when required by policy, rather than only removing the value
  • Deny log processing could stall on Passive WAF
  • Passive WAF feature can be fully enabled without requiring sensor reboot

Release date: June 7, 2018 Version 4.5.4.3-1586

Features

Add support for AWS S3 bucket server-side KMS encryption

Release date: May 8, 2018 Version 4.5.4.2-1545

Features

Improved audit logging

Bug fixes

Fix a rare memory leak

Release date: April 9, 2018 Version 4.5.4.1-1501

Bug fixes

  • Fixed issue displaying deny logs with malformed utf8 data
  • Resolve UI error related to IP sharding feature
  • Fixed grouping by country in the deny log dashboard
  • Stop logging at 10% free space left on Passive WAF
  • Read the correct core error log on auto-scaling masters

Release date: March 6, 2018 Version 4.5.4.0-1461

Features

  • Support inline WAF on Google Compute Engine
  • Updated kernel
  • Replaced string search algorithm
  • Relaxed threshold for waf-core-cpu alarm

Bug fixes

  • Prevent autoscaling master instances from syncing backup to S3 when unhealthy
  • Restored "Insert" option on response header rewrite rules when using more than 4 entries
  • Fixed L7 blacklist syncing for CIDR ranges
  • Restored missing fields in deny log in edge case

Release date: January 30, 2018 Version 4.5.3.4-1418

Bug fixes

  • Resolve an issue which could prevent certain global system settings from syncing to autoscaling workers and HA learners
  • Resolve a slow memory leak in the proxy core

Release date: January 4, 2018 Version 4.5.3.3-1395

Bug fixes

Restore allowed HTTP method types in policy ACLs correctly when restoring backups or replacing autoscaling master instances

Release date: November 14, 2017 Version 4.5.3.2-1320

Features

  • Activate JSON parser for a wider content-type range
  • Enable response inspection by default on Passive WSM
  • Support tilde and percent in external redirects
  • Parse cookies more strictly
  • Configure AWS auto-scaling master as undisciplined clock

Bug fixes

  • Resolve a circumstance which caused DHCP to be enabled improperly on new sensors
  • Don't log the RAW body twice on Passive WSM
  • Allow large file uploads when Content-Length is set
  • Resolve UI error when deleting phantom static routes
  • Resolve minor issues in SSL client auth handling

Release date: August 2017 Version 4.5.3.1-1204

Bug fixes

Fix a regression that broke new routing proxy deployments

Release date: July 17, 2017 Version 4.5.3.0

Bug fixes

  • Improved response inspection/analysis statistics to eliminate sources of inaccurate criticality scoring.
  • Resolved an issue with multi-node configuration sync that could interrupt cluster sync operations.
  • Resolved an issue preventing blacklist not syncing from master to learner nodes in some scenarios.
  • Addressed an issue related to high CPU consumption when running scans against WSM in some customer environments.

Features

  • Added API calls to import and export site policy templates via WSM management API.
  • Added an option to close connection on 502 errors.
  • Improved network performance in customer environments with high rates of requests and concurrent requests.

Security

  • Resolved nginx range filter potential leakage/denial of service vulnerability (CVE-2017-7529).

Changes

  • Management UI now requires TLS 1.2+.

Notice

None

Release date: April 12, 2017 Version 4.5.2.4

Bug fixes

  • Addressed an issue introduced in 4.5.2.1 release causing unexpected proxy update/delete behavior.

Security

  • Removed potential for theoretical XSS within a specific dialog.

Release date: March 13, 2017 Version 4.5.2.2

Bug fixes

  • Improved log rotation/log storage database to reduce contention and improve log rotation process.
  • Resolved a rare issue with CPUs without AVX support.

Features

  • Added Apache Struts (CVE-2017-5638) header validation rule and included in default template.
  • Added option to globally enable proxy protocol for all listen IPs

Changes

  • Changed WSM “Import Proxy Template” API call to match documentation.

Release date: February 21, 2017 Version 4.5.2.1

Bug fixes

  • Resolved an issue related to falsely indicating versions within a cluster.
  • Addressed a small number of scenarios where license keys incorrectly report that they are invalid.
  • Addressed scenarios where the appliance watchdog service may inadvertently not be running.
  • Resolved several minor typos in the user interface.
  • Resolved an issue where changed cluster passwords were not replicated through the entire system.

Features

Added per-site policy GeoIP-based blacklisting/whitelisting functionality.

Security

Added internal last modified date for CRUD operations on websites, to be relayed to Alert Logic’s backend.

Changes

  • User interface will now prevent a proxy creation that overlaps on IP:port between another proxy/protocol.
  • Increased internal daemons dealing with syslog messages now have higher free disk thresholds, consistent with alarms.

Release date: February 7, 2017 Version 4.5.2.0

Bug fixes

  • Resolved an issue where stats database could end up with improper permissions.
  • Resolved potential slow memory leaks with stats collector.
  • Improved watchdog recovery of logging agent.

Features

Completed support for new AWS regions that require both HVM and v4 signatures.

Changes

Introduced dependency on new health monitoring agent.

Release date: January 19, 2017 Version 4.5.1.2

Bug fixes

  • Improved logging related to blocking/blacklisting IPs, both removing excess errors and ensuring details are properly logged.
  • Ensure blocking configuration files are properly written during AWS master re-spins.
  • Resolved issue with block timeouts falling back to default rather than using configured timeout.
  • Resolved an issue with adding overlapping ranges to blacklists that resulted in some IPs not blacklisted.

Features

Extended maximum header size limitation to optionally allow headers up to 32k.

Release date

December 15, 2016 (4.5.1.1)

Bug fixes

  • Updated response inspection to pick up configuration changes when website configurations are changed.
  • Improved handling of learn candidate failures to prevent unexpected deny logs from being created from learn candidates.
  • Resolved an issue with System>Tools>Website Configuration preventing expected configuration content from being returned.
  • Addressed an issue that may result in unexpected mismatched version alarms within a cluster.

Features

N/A

Security

Provided an updated kernel to address potential security vulnerabilities (including dirtyc0w).

Changes

  • Updated several minor issues in the REST API and added a new API call to get IP addresses.
  • Updated invalid hostname violation to enforce SSL hostname restrictions.
  • Provided an affordance for single quotes present in file paths to be allowed by modifying the allowable files regular expression.

Notice

N/A

Release date

October 27, 2016 (4.5.1.0)

Bug fixes

  • This release removes the unexpected need for initial configuration save and restart of the WSM appliance UI at provisioning time.
  • This release resolves an issue where backend server violations did not always log headers.
  • This release resolves an issue where layer 7 blocking did not always work following autoscaling instance respins.
  • This release removes superfluous error generation when syncing routing proxy configs.
  • This release improves resilience of deny log transport in certain edge cases.
  • This release improves storage of datacenter affiliation configuration.
  • This release adds functionality to always include response parameters (even if values are empty) in deny logs to ensure logs are properly parsed.
  • This release improves Denial of Service mitigation setting configuration to ensure settings are saved and operate as expected.
  • This release addresses an issue related to response inspection learning that can lead to increased CPU consumption.
  • This release improves handling of iptables configuration to ensure appliance specific changes are not overwritten for both WSM Premier and WSM (Out of Band).
  • This release resolves a scenario where the ACL cache can be cleared during the autoscaling instance boot process.
  • This release improves payment card masking to reduce false positives in deny log masking.

Features

N/A

Security

This release updates HTTP SSL settings to lock down insecure ciphers and SSL/TLS for WSM (Out of Band).

Changes

  • WSM Appliance API users can now be created via UI, CFT, and during appliance provisioning.
  • WSM Appliance API users will now be indicated in the appliance UI.
  • IP Addresses extracted from X-Forwarded-For headers will now be the leftmost non-private IP.
  • Deny log rotation is now limited to preserving 100k records, which will be rotated more frequently.
  • Improvements to several WSM appliance alarms facilitate better monitoring and troubleshooting by Alert Logic operations teams.
  • Updated WSM appliance SQlite instance for improved stability and reliability.

Notice

N/A

Release date

September 19, 2016 (4.5.0.2)

Bug fixes

  • This release resolves an issue where Content-Type was not being matched case-insensitively.
  • This release improves handling of chunked multipart/form-data.
  • This release prevents multiple instances of internal services from running on the appliance.
  • This release resolves two minor syslog daemon configuration issues.
  • This release resolves an issue where invalid learn chunks could cause startup failures without manual intervention.

Features

N/A

Security

This release updates the embedded agent which now includes additional TLS1.2 support for Alert Logic services.

Changes

N/A

Notice

N/A

Release date

August 11, 2016 (4.5.0.0)

Bug fixes

  • This release ensures syslog daemon was restarted properly after upgrade.
  • This release resolves an issue with single tuned site configurations not properly transmitting log activity.
  • This release resolves an issues with configuration files potentially being overwritten during an upgrade.
  • This release resolves an issue during boot where AWS environments were not properly recognized.
  • This release resolves an issue with duplicate fwmark rules being created in transparent proxy deployments.

Features

  • This release adds capabilities to capture and analyze full server responses, providing the response and potential indicators of compromise within the UI and deny logs.
  • This release improves support for Azure WSM deployments, including adjustments to SSH ClientAliveInterval and the WSM configuration UI.

Security

This release resolves CVE-2016-4450 (a potential DoS condition in nginx).

Changes

This release removes VLAN submenu from WSM UI in deployments where it’s not used.

Notice

  • N/A

Release date

June 16, 2016 (4.4.3.0)

Bug fixes

  • This release resolves an issue with unnecessary services running on auto-scaling workers.
  • This release resolves an issue with connectivity to s3 during updates.
  • This release resolves several minor issues that could generate unexpected log output.
  • This release resolves several issues with the internal watchdog to improve resilience.
  • This release resolves an issue where SSL certificate chain expiration dates could appear incorrectly or be out of sync across components.
  • This release resolves an issue related to certain scans causing unexpected appliance behavior.
  • This release resolves an issue where certain scheduled tasks would not run in configured timezones.
  • This release resolves an issue where cluster IP alias limits were not functioning as expected in configuration UI.
  • This release resolves an issue with custom access log formats not behaving as expected.

Features

  • N/A

Security

  • This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108 and CVE-2016-2107).

Changes

  • This release further restricts remote login access via SSH to internal and Alert Logic networks.

Notice

  • N/A

Release date

April 21, 2016 (4.4.2.0)

Bug fixes

  • This release resolves an issue causing proxy stats database to grow excessively large in size.
  • This release resolves an issue with a dependent service failing to auto-upgrade during provisioning.
  • This release resolves an issue with missing configuration settings not being restored during re-spin in AWS auto-scaling deployments.
  • This release resolves an issue with WSM agent service consuming resources on AWS auto-scaling workers.
  • This release resolves an issue with the management of multiple instances of dependent services.
  • This release resolves an issue with the bootstrap process when services are not immediately ready.
  • This release resolves an issue with AWS auto-scaling workers performing unnecessary S3 config backups.
  • This release resolves an issue related to layer 7 blocking, including a problem with timeout enforcement.

Features

  • This release adds several improvements relating to web security content, including additional details in the deny log when content is triggered.
  • This release adds support for monitoring RESTful API methods and zero-length requests that normally have a request body.
  • This release adds several improvements to aid in troubleshooting of WSM appliances, while improving monitored checks.

Security

  • N/A

Changes

  • This release changes worker CPU usage calculation to use standard deviation instead of min/max.
  • This release changes backend health check configuration to reject semicolons in path.

Notice

  • N/A

Release date

March 3, 2016 (4.4.1.0)

Bug fixes

  • This release resolves an issue where WSM user guides/help links may not have been accurate to the WSM version deployed.
  • This release resolves issues with several scenarios that could cause unexpected responses to carefully crafted requests.
  • This release resolves an issue causing failures importing PKCS12 certificates.
  • This release resolves an issue with static routes when using interface-specific gateways.
  • This release resolves an issue where temporary files remained after working with SSL cache.
  • This release resolves an issue where bypassing an unknown method (e.g. WebDAV LOCK) where parameters/cookies were present was not possible.
  • This release resolves an issue deploying customer-specific hotfixes to AWS auto-scaling deployments.
  • This release resolves an issue displaying deny log when Unicode encoded characters were present in an entry.

Features

  • This release adds support for worker access logs to be aggregated on master (similar to deny logs).

Security

  • This release updates glibc and openssl to address recent upstream security announcements.

Changes

  • This release extends enforcement of SSH access, eliminating remote access from the “operator” user.

Notice

  • N/A

Release date

July 7, 2016 (3.2.38)

Bug fixes

N/A

Features

N/A

Security

  • This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108, CVE-2016-2107).

Changes

  • This release further restricts remote login access via SSH to internal and Alert Logic networks.
  • This release enables masking of sensitive payment card information in log data by default.

Notice

N/A