Managed WAF Release Notes
Alert Logic Managed Web Application Firewall (WAF) release notes
Alert Logic supports the current version and the last two minor versions. For example, 18.104.22.168 is two versions behind 22.214.171.124, and an appliance running version 126.96.36.199 is unsupported.
Alert Logic does not automatically push new versions to customers, and an upgrade may be required if you need support on an older appliance.
Release date: August 31, 2020 Version 188.8.131.52
- Support exporting deny logs to an S3 bucket
- Support syslog over TLS
- Support vpatches for emerging threats
- Send additional details to Log Manager regarding generic protocol violations
- Improve handling of XML
- Improve configurability of body permissions and actions across methods
- Minor signature improvement
- Numerous performance and portability improvements to WSM internals
- Interpret and synchronize extended syslog config correctly
- Check multiple virtual patches matching a path
- Fix issue with WSM dashboard not displaying through the AL console
- Allow OPTIONS method when no application path config is present
- Support separate default vhosts for both HTTP and HTTPS
- Send certificate metadata to backend in all cases
- Avoid double-escaping regex application paths during upgrades and imports
Release date: May 5, 2020 Version 184.108.40.206
- Improved utf8 handling
- Resolved an issue with displaying HTML5 graphs in the console
- Improved mqueue allocation during an upgrade
Release date: April 7, 2020 Version 220.127.116.11
- Alert Logic now supports new collections of virtual patches (highly-targeted security content for specific vulnerabilities)
- Replaced Flash-based UI graphs with HTML5 charts
- Improved multibyte support
- Allowed GET requests to have a body
- Treated expected redirects of HTTP to SSL as non-violating
- Minimized UI presentation of sequentially-duplicated system logs
- Supported custom log fields in extended enhanced alert log
- Used ISO date format for audit logs
- Allowed quoted multipart boundaries
- Supported SameSite cookies
- Supported customizable 307/308 redirects
- Supported negation of deny log filter expressions
- Supported optional silencing of GeoIP access violations
- Expanded character set in the default URL class definition
- Added cipher and TLS version as options for custom access log format
- Covered additional SQLi conditions with improved security content
- Properly decoded HTML entities when dealing with customer-defined web ACLs
- Validated SSL PEM certificates on upload regardless of the "Validate certificate chain" option
- Corrected an issue with updating CRL lists
- Properly matched regex-based ACLs when adding to them from the deny log view
- Updated text in "Add from deny log" functionality
- Updated OpenSSH
- Updated console URLs in login page
- Removed source IPs which have been removed from the teacher node's blacklist
- Improved X-Forwarded-For parsing
- Made SSL certificate generation default to 2048 bit keys
- Used default HTTPS proxy settings correctly
- New web ACLs now inherit allowed HTTP method settings
- Improved logging for the health check daemon
- Improved automated detection of XML content
Release date: November 21, 2019 Version 18.104.22.168
- Use regular expressions in web application paths (Note: existing paths will be converted to regexes automatically)
- Improve handling of UTF-8 encoding in policy values
- Add file extension validation framework
- Prioritize GeoIP lookups by represented country, registered country, and RIR assignment country order (Note: This product includes GeoLite2 data created by MaxMind).
- Add trusted proxy support for black hole
- Offer extended alert log format
- Support ECDSA keys for TLS proxies (mutually exclusive with RSA)
- Release package updates for base OS security
- Block TRACE method on Management UI
- Fix response body rewriting consistency when learning engine is enabled
- Fix issue where health check daemon could miss config change notifications
Release date: September 26, 2019 Version 22.214.171.124-2249
- Support sending SNI to upstream servers
- Support future hotfix deployments independent of upgrades
- UI to multi-select country codes
- UI to copy deny log details to clipboard
- UI warning when enabling proxy protocol
- Disable legacy SSH algorithms
- Deterministic package installation order for new physical/virtual deployments
- API for managing redirects and aliases
- Generate warnings when auto-scaling worker sync is blocked
- Improvements to deny log parser error handling
- Protocol violations should not log entire payload
- Reduce false positives on XPATH signatures
- Skip [ TRUNCATED ] suffix when adding parameters from log
- Remove low-confidence XPATH signatures
- Replace message queue implementation for deny logs, learning data, and response inspection
- Always validate request headers using general rules in addition to header-specific validation
- Allow ACL definitions to be agnostic about trailing slashes
- Match newlines when masking deny log input
- Make signature package updates visible in UI
- Improve access log routing for auto-scaling deployments with more than ten proxies
- Use correct package name when updating signatures on autoscaling worker instances
Release date: June 13, 2019 Version 126.96.36.199-2084
Switched to a new GeoIP2 database format for more accurate geolocation data. This product includes GeoLite2 data created by MaxMind.
Release date: May 7, 2019 Version 188.8.131.52-2030
Reduced false positives in OS Commanding signatures.
Preserved policy routes when upgrading.
Release date: April 9, 2019 Version 184.108.40.206-1976
- Allow single-quoted strings in JSON parser
- RPC audit logging overhaul
- Expose an option to disable Web Application IDS default inspection scope
- Return signature info in response headers in signature test mode
- Detect evasion attempts using request body header tricks
- Replace ntpd
- Reduce false positives
- Change authentication mechanism for repository access
- Content validation data collection framework
- Allow malformed UTF-8 encodings in JSON payloads
- Further improvements to TLS key handling
- Persist policy routing priorities
- Web App IDS deny log notes correct action on requests to unknown hosts
- Prevent errors from terminating syncd
- Prevent proxy error log duplication
- Allow overlapping system gateway to match a whitelist
- Package renamed to accommodate breaking changes
- Removed RFI to reduce false positives
- Improved general coverage
- Improved SQLI coverage
Release date: December 14, 2018 Version 220.127.116.11-1839
- Add Joomla PHP injection signature to header validation
- Add underlying support for nvme1n1 for new instance types
- Allow access logging of calculated remote IP
- Allow more granular control of email notifications
- Improve TLS key handling
- Install operations tool by default
- Relax JSON parser to allow scalar string data
- Release new kernel
- Require latest DNS SQLi signature
- Support TLDs up to 32 characters long
- Support configurable DTD validation when parsing XML payloads
- Turn on filename validation by default
- Update several common software packages
- Align utf8 usage in WAF core and the Alert Logic console
- Allow the trusted proxy setting to be reset to undefined
- Fix Managed WAF display for read-only users in the Alert Logic console
- Fix bug in reading attribution signatures
- Rotate deny log database more gracefully
- HUP syslogng after rotating access log
- Improve header validation / RFC enforcement options
- Send HSTS headers on Managed WAF error pages
- Suppress sensitive metadata in log
- DNS exfiltration
- Date field for classification signatures
- Improved OSC / removed OSC_TRAIL_PIPE
- Improved PHP INJ signature
- New OSC and SQLI signatures
Release date: August 14, 2018 Version 18.104.22.168-1683
Improved OS commanding detection
Proxy would improperly block certain OS commanding violations with HTTP 500 errors regardless of policy setting
Release date: August 7, 2018 Version 22.214.171.124-1668
- Clean up orphaned package management transaction files
- Improve deny log rotation performance
- Reduce alarm flapping
- Log the offending part of abnormally large payloads
- Watchdog enhancements
- Enable "Accept underscore characters in request headers" by default
- Allow certain alarm conditions to automatically clear when the alarm condition is no longer present
- Normalize and de-duplicate virtual host aliases to lowercase
- Allow optional port numbers in X-Forwarded-For header parsing
- Add configurable back-off period for auto-clearing alarms
- Improved OS Commanding detection
- Updated signature content
- Add Drupal signature as a custom signature to new proxies
- AWS Enhanced Networking Adapter foundational support, pending AMI release
- Improve cluster synchronization resilience to network errors
- Passive WAF logged proxy IP instead of trusted X-Forwarded-For IP in some circumstances
- Error saving intermediate certificate when "Validate certificate chain" is enabled
- Strip request headers entirely when required by policy, rather than only removing the value
- Deny log processing could stall on Passive WAF
- Passive WAF feature can be fully enabled without requiring sensor reboot
Release date: June 7, 2018 Version 126.96.36.199-1586
Add support for AWS S3 bucket server-side KMS encryption
Release date: May 8, 2018 Version 188.8.131.52-1545
Improved audit logging
Fix a rare memory leak
Release date: April 9, 2018 Version 184.108.40.206-1501
- Fixed issue displaying deny logs with malformed utf8 data
- Resolve UI error related to IP sharding feature
- Fixed grouping by country in the deny log dashboard
- Stop logging at 10% free space left on Passive WAF
- Read the correct core error log on auto-scaling masters
Release date: March 6, 2018 Version 220.127.116.11-1461
- Support inline WAF on Google Compute Engine
- Updated kernel
- Replaced string search algorithm
- Relaxed threshold for waf-core-cpu alarm
- Prevent autoscaling master instances from syncing backup to S3 when unhealthy
- Restored "Insert" option on response header rewrite rules when using more than 4 entries
- Fixed L7 blacklist syncing for CIDR ranges
- Restored missing fields in deny log in edge case
Release date: January 30, 2018 Version 18.104.22.168-1418
- Resolve an issue which could prevent certain global system settings from syncing to autoscaling workers and HA learners
- Resolve a slow memory leak in the proxy core
Release date: January 4, 2018 Version 22.214.171.124-1395
Restore allowed HTTP method types in policy ACLs correctly when restoring backups or replacing autoscaling master instances
Release date: November 14, 2017 Version 126.96.36.199-1320
- Activate JSON parser for a wider content-type range
- Enable response inspection by default on Passive WSM
- Support tilde and percent in external redirects
- Parse cookies more strictly
- Configure AWS auto-scaling master as undisciplined clock
- Resolve a circumstance which caused DHCP to be enabled improperly on new sensors
- Don't log the RAW body twice on Passive WSM
- Allow large file uploads when Content-Length is set
- Resolve UI error when deleting phantom static routes
- Resolve minor issues in SSL client auth handling
Release date: August 2017 Version 188.8.131.52-1204
Fix a regression that broke new routing proxy deployments
Release date: July 17, 2017 Version 184.108.40.206
- Improved response inspection/analysis statistics to eliminate sources of inaccurate criticality scoring.
- Resolved an issue with multi-node configuration sync that could interrupt cluster sync operations.
- Resolved an issue preventing blacklist not syncing from master to learner nodes in some scenarios.
- Addressed an issue related to high CPU consumption when running scans against WSM in some customer environments.
- Added API calls to import and export site policy templates via WSM management API.
- Added an option to close connection on 502 errors.
- Improved network performance in customer environments with high rates of requests and concurrent requests.
- Resolved nginx range filter potential leakage/denial of service vulnerability (CVE-2017-7529).
- Management UI now requires TLS 1.2+.
Release date: April 12, 2017 Version 220.127.116.11
- Addressed an issue introduced in 18.104.22.168 release causing unexpected proxy update/delete behavior.
- Removed potential for theoretical XSS within a specific dialog.
Release date: March 13, 2017 Version 22.214.171.124
- Improved log rotation/log storage database to reduce contention and improve log rotation process.
- Resolved a rare issue with CPUs without AVX support.
- Added Apache Struts (CVE-2017-5638) header validation rule and included in default template.
- Added option to globally enable proxy protocol for all listen IPs
- Changed WSM “Import Proxy Template” API call to match documentation.
Release date: February 21, 2017 Version 126.96.36.199
- Resolved an issue related to falsely indicating versions within a cluster.
- Addressed a small number of scenarios where license keys incorrectly report that they are invalid.
- Addressed scenarios where the appliance watchdog service may inadvertently not be running.
- Resolved several minor typos in the user interface.
- Resolved an issue where changed cluster passwords were not replicated through the entire system.
Added per-site policy GeoIP-based blacklisting/whitelisting functionality.
Added internal last modified date for CRUD operations on websites, to be relayed to Alert Logic’s backend.
- User interface will now prevent a proxy creation that overlaps on IP:port between another proxy/protocol.
- Increased internal daemons dealing with syslog messages now have higher free disk thresholds, consistent with alarms.
Release date: February 7, 2017 Version 188.8.131.52
- Resolved an issue where stats database could end up with improper permissions.
- Resolved potential slow memory leaks with stats collector.
- Improved watchdog recovery of logging agent.
Completed support for new AWS regions that require both HVM and v4 signatures.
Introduced dependency on new health monitoring agent.
Release date: January 19, 2017 Version 184.108.40.206
- Improved logging related to blocking/blacklisting IPs, both removing excess errors and ensuring details are properly logged.
- Ensure blocking configuration files are properly written during AWS master re-spins.
- Resolved issue with block timeouts falling back to default rather than using configured timeout.
- Resolved an issue with adding overlapping ranges to blacklists that resulted in some IPs not blacklisted.
Extended maximum header size limitation to optionally allow headers up to 32k.
December 15, 2016 (220.127.116.11)
- Updated response inspection to pick up configuration changes when website configurations are changed.
- Improved handling of learn candidate failures to prevent unexpected deny logs from being created from learn candidates.
- Resolved an issue with System>Tools>Website Configuration preventing expected configuration content from being returned.
- Addressed an issue that may result in unexpected mismatched version alarms within a cluster.
Provided an updated kernel to address potential security vulnerabilities (including dirtyc0w).
- Updated several minor issues in the REST API and added a new API call to get IP addresses.
- Updated invalid hostname violation to enforce SSL hostname restrictions.
- Provided an affordance for single quotes present in file paths to be allowed by modifying the allowable files regular expression.
October 27, 2016 (18.104.22.168)
- This release removes the unexpected need for initial configuration save and restart of the WSM appliance UI at provisioning time.
- This release resolves an issue where backend server violations did not always log headers.
- This release resolves an issue where layer 7 blocking did not always work following autoscaling instance respins.
- This release removes superfluous error generation when syncing routing proxy configs.
- This release improves resilience of deny log transport in certain edge cases.
- This release improves storage of datacenter affiliation configuration.
- This release adds functionality to always include response parameters (even if values are empty) in deny logs to ensure logs are properly parsed.
- This release improves Denial of Service mitigation setting configuration to ensure settings are saved and operate as expected.
- This release addresses an issue related to response inspection learning that can lead to increased CPU consumption.
- This release improves handling of iptables configuration to ensure appliance specific changes are not overwritten for both WSM Premier and WSM (Out of Band).
- This release resolves a scenario where the ACL cache can be cleared during the autoscaling instance boot process.
- This release improves payment card masking to reduce false positives in deny log masking.
This release updates HTTP SSL settings to lock down insecure ciphers and SSL/TLS for WSM (Out of Band).
- WSM Appliance API users can now be created via UI, CFT, and during appliance provisioning.
- WSM Appliance API users will now be indicated in the appliance UI.
- IP Addresses extracted from X-Forwarded-For headers will now be the leftmost non-private IP.
- Deny log rotation is now limited to preserving 100k records, which will be rotated more frequently.
- Improvements to several WSM appliance alarms facilitate better monitoring and troubleshooting by Alert Logic operations teams.
- Updated WSM appliance SQlite instance for improved stability and reliability.
September 19, 2016 (22.214.171.124)
- This release resolves an issue where Content-Type was not being matched case-insensitively.
- This release improves handling of chunked multipart/form-data.
- This release prevents multiple instances of internal services from running on the appliance.
- This release resolves two minor syslog daemon configuration issues.
- This release resolves an issue where invalid learn chunks could cause startup failures without manual intervention.
This release updates the embedded agent which now includes additional TLS1.2 support for Alert Logic services.
August 11, 2016 (126.96.36.199)
- This release ensures syslog daemon was restarted properly after upgrade.
- This release resolves an issue with single tuned site configurations not properly transmitting log activity.
- This release resolves an issues with configuration files potentially being overwritten during an upgrade.
- This release resolves an issue during boot where AWS environments were not properly recognized.
- This release resolves an issue with duplicate fwmark rules being created in transparent proxy deployments.
- This release adds capabilities to capture and analyze full server responses, providing the response and potential indicators of compromise within the UI and deny logs.
- This release improves support for Azure WSM deployments, including adjustments to SSH ClientAliveInterval and the WSM configuration UI.
This release resolves CVE-2016-4450 (a potential DoS condition in nginx).
This release removes VLAN submenu from WSM UI in deployments where it’s not used.
June 16, 2016 (188.8.131.52)
- This release resolves an issue with unnecessary services running on auto-scaling workers.
- This release resolves an issue with connectivity to s3 during updates.
- This release resolves several minor issues that could generate unexpected log output.
- This release resolves several issues with the internal watchdog to improve resilience.
- This release resolves an issue where SSL certificate chain expiration dates could appear incorrectly or be out of sync across components.
- This release resolves an issue related to certain scans causing unexpected appliance behavior.
- This release resolves an issue where certain scheduled tasks would not run in configured timezones.
- This release resolves an issue where cluster IP alias limits were not functioning as expected in configuration UI.
- This release resolves an issue with custom access log formats not behaving as expected.
- This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108 and CVE-2016-2107).
- This release further restricts remote login access via SSH to internal and Alert Logic networks.
April 21, 2016 (184.108.40.206)
- This release resolves an issue causing proxy stats database to grow excessively large in size.
- This release resolves an issue with a dependent service failing to auto-upgrade during provisioning.
- This release resolves an issue with missing configuration settings not being restored during re-spin in AWS auto-scaling deployments.
- This release resolves an issue with WSM agent service consuming resources on AWS auto-scaling workers.
- This release resolves an issue with the management of multiple instances of dependent services.
- This release resolves an issue with the bootstrap process when services are not immediately ready.
- This release resolves an issue with AWS auto-scaling workers performing unnecessary S3 config backups.
- This release resolves an issue related to layer 7 blocking, including a problem with timeout enforcement.
- This release adds several improvements relating to web security content, including additional details in the deny log when content is triggered.
- This release adds support for monitoring RESTful API methods and zero-length requests that normally have a request body.
- This release adds several improvements to aid in troubleshooting of WSM appliances, while improving monitored checks.
- This release changes worker CPU usage calculation to use standard deviation instead of min/max.
- This release changes backend health check configuration to reject semicolons in path.
March 3, 2016 (220.127.116.11)
- This release resolves an issue where WSM user guides/help links may not have been accurate to the WSM version deployed.
- This release resolves issues with several scenarios that could cause unexpected responses to carefully crafted requests.
- This release resolves an issue causing failures importing PKCS12 certificates.
- This release resolves an issue with static routes when using interface-specific gateways.
- This release resolves an issue where temporary files remained after working with SSL cache.
- This release resolves an issue where bypassing an unknown method (e.g. WebDAV LOCK) where parameters/cookies were present was not possible.
- This release resolves an issue deploying customer-specific hotfixes to AWS auto-scaling deployments.
- This release resolves an issue displaying deny log when Unicode encoded characters were present in an entry.
- This release adds support for worker access logs to be aggregated on master (similar to deny logs).
- This release updates glibc and openssl to address recent upstream security announcements.
- This release extends enforcement of SSH access, eliminating remote access from the “operator” user.
July 7, 2016 (3.2.38)
- This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108, CVE-2016-2107).
- This release further restricts remote login access via SSH to internal and Alert Logic networks.
- This release enables masking of sensitive payment card information in log data by default.