Release date: 12/26/2017

Revision: r42310

This version is a maintenance release of the Long Term Support (LTS) v5.5.

Improvements

Security and Component's update

  • OpenSSL to 1.0.2m
  • Kernel to 3.16.48
  • PHP to 5.6.31
  • Jetty to 9.3
  • Java to 1.8

Resolved problems

Bug criticality indicators

(error): Serious, (warning): Moderate or with workaround, (info): Low or cosmetic. 

Alerts, logs and reporting

  • (error) [DA-4076] Realtime log viewer via "Log Management" returns always "Value not authorized."

System

  • (error) [DA-8242] Runtime cleaner remove used directory
  • (error) [DA-7779] Unauthenticated Remote Code Execution via XML api
    For more details, see the advisory page.
  • (error) [DA-7335] Apache error on static content with invalid right
  • (error) [DA-6425] SNMPTRAP not working anymore
  • (error) [DA-6276] OpenSSH MaxAuthTries Bypass

Network

  • (warning) [DA-2218] MAC address is not updated on network card replacement

ICX and ACE

  • (warning) [DA-6786] Categories and rules uids are changing when 'save as' an ICX configuration

  • (error) [DA-6705] ICX Behavior changes on whitelists

SSL

  • (error) [DA-7350] Technical error on WAM configurations using verify certificate option

  • (error) [DA-5751] Elliptic Curve Cryptography certificates can not be uploaded

  • (warning) [DA-3336] Outgoing SSL: Proxy check peer CN and expire depends on CA certificates

Authentication and SSO

  • (warning) [DA-6330] Intermediate certificate can not be uploaded

  • (warning) [DA-6095] Unable to modify "Kerberos Delegation Authentication - token" authentication type

  • (warning) [DA-5258] LDAPS (over SSL) connection error when using key size higher than 1024 bits

GUI

  • (error) [DA-7906] Realtime log viewer via "Log Management" returns always "Value not authorized."
  • (warning) [DA-7116] Allow GeoIP database updates without RSE upgrades
  • (warning) [DA-7098] No check before removing authentication server used for GUI Authentication

Reverse proxy and tunnel

  • (warning) [DA-7587] Controller timeout when applying to many tunnels
  • (warning) [DA-7514] Reverse proxy without tunnel ignores the apply

Monitoring

  • (warning) [DA-6525] Backend monitoring frequency setup is not working
  • (warning) [DA-5880] Metric 'cpu load warning' does not appear in the list

Miscellaneous

  • (error) [DA-7548] Segfault on invalid HTTP response from backend
  • (error) [DA-7342] Controller stacktrace when uploading a corrupted backup
  • (warning) [DA-6657] Namespace number is increased at each backup/restore
  • (warning) [DA-6110] Syslog message contains 'localhost' or 'webserver' instead of the appliance name
  • (error) [DA-4449] Sysctl profiles are not applied after restoring a backup

Identified problems, failures and limitations

 

ICX rules behavior

The fix for "[DA-724]: Double conditions on same element in an ICX rule doesn't work” can lead to a behavior change with some ICX exception rules. Previously, a rule with several conditions on the same field matched as soon as one of the conditions was true whatever the selected ‘Match’ type (‘Any’ or ‘All’). In i-Suite 5.5.8, for the Match type ‘All’, the rule will match only if all conditions are true regardless the type of fields.

 

Example:

 

C1 is a condition on field A,
C2 is a condition on field B,
C3 is a condition on field B.
 
R1 is a ‘match All’ rule with C1, C2, C3.

 

Before 5.5.8, R1 = C1 AND (C2 OR C3)

In 5.5.8, R1 = C1 AND C2 AND C3

In 5.5.9, the previous behaviour was reintroduced, it corresponds to the 'All fields' match type ([DA-3490]).

OpenSSL weak ciphers no longer supported

i-Suite 5.5.13 has the last version of OpenSSL. Since OpenSSL 1.0.1s, weak ciphers are no longer supported. Update can't be done if weak ciphers are not removed from all SSL Cipher Profiles.


100% CPU load problem

An increase of the CPU load up to 100% can occur on Power Edge R220 in some cases. If the problem occurs on one of your server, install the following fix by uploading the file in the i-Suite GUI in "Setup > i-Boxes > box > i-Box Settings > Utils > Support debug script".

Deprecated EXPORT ciphers in OpenSSL

Export ciphers arenow deprecated since OpenSSL 1.0.1m. Update can't be done if these ciphers are not removed.

Removed Ciphers:

ADH-AES256-GCM-SHA384, ADH-AES256-SHA256, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ADH-AES128-GCM-SHA256, ADH-AES128-SHA256, ADH-AES128-SHA, ADH-SEED-SHA, ADH-CAMELLIA128-SHA, ADH-RC4-MD5, ADH-DES-CBC3-SHA, AECDH-AES256-SHA, AECDH-AES128-SHA, AECDH-RC4-SHA, AECDH-DES-CBC3-SHA, AECDH-NULL-SHA

We also remind that TLS clients are rejecting handshakes with DH parameters shorter than 1024 bits (since OpenSSL 1.0.1r).

 

SSL accelerator cards

 
Hardware acceleration (models IS4*00, IS5*00 and IS8*00) must be disabled (Reverse Proxies settings). If it is not disabled, SSL performance can be reduced by up to 60%. This new version takes advantage of the encryption capabilities of CPUs that are equivalent or superior to the performance of the cryptography cards. SSL accelerator cards can also lead to a child segfault issue on the Reverse Proxy. Moreover, SSL accelerator cards manufactured by Broadcom are no longer supported since version 5.4.0. Only Cavium cards are compatible with this version.

Ambiguous report for raid and power supply status

On 2100 server, RAID status could be misleading when a disk is in fault.

Known issues

  • This version cannot be installed on hardware (or virtual machines) with 32-bit CPUs. The installation process will abort.
  • (warning) The procedure Changing the IP administration of i-Box via BeeShell must be followed by a reboot (reboot command) of the i-Box for the connection can be established on the new IP.
  • (warning) [BW-2213] - Configuration overwrite if Credential repository and Authentication server have the same name.
  • (warning) [BW-2015] - SSH daemon, SNMP deamon, DNS and Hosts sections of i-Box configuration are not activated after restore.
    The workaround consists in opening the i‑Box modification dialog after restoring and validating the configuration.
  • (warning) [BW-1750] - "HTTP Basic Authentication - Custom Learning" doesn't support non-UTF8 encoding
  • (warning) [BW-1317] - Credential learning does not work when backend is sending back gzip/deflate
  • (info) [BW-2209] - Scheduled task: reports are generated in english despite french setting
  • (info) [BW-2096] - Large request headers won't be logged in security logs
    When a request contains an attack and the header size is large (near 64K), the alert is not logged in the Security Logs. 
  • (info) [BW-1126] - Labels are lost after restoring items
  • (info) [BW-1076] - Failed scheduled task not reported in event log

Installation procedure

Before installing this version, backup any work that is in progress. Generate and download a backup of all the i‑Boxes.

  1. Check that the i‑Box cluster is running on the beeware-os-5.5.11 version or beeware-os-5.5.12 version
  1. Download the latest Administration Interface (5.5.13) from https://my.denyall.com
  2. Log into the Management i‑Box with the new Interface.
  3. Download the beeware-os 5.5.13 RSE file to the i‑Box.
  4. Back up all the configurations and download the backup file.
  5. Select the Management i‑Box and click “Install”.

    The Management i‑Box must be updated first, before updating the managed i-Box.

  6. The installation process will automatically reboot the i‑Box.
  7. Repeat stages 5 and 6 for each managed i‑Box, if there are any.
  8. Perform an Apply (with Cold Restart selected) on all the configurations.

Uninstall procedure

  1. Start uninstall all managed i-Boxes. Select a managed i‑Box; click Uninstall.
  2. The i-Box is reboot automatically.
  3. Repeat stages 1 and 2 for all managed i-Boxes.
  4. Repeat stages 1 and 2 for the Management i-Box. The administration console will be disconnected.
  5. After Management i-Box reboot, log into the Management i-Box, and perform an Apply (with Cold Restart selected) on all the configurations.

  • No labels