Fortra's Managed Web Application Firewall (WAF) Release Notes

2024 (5.x)

Release date: October 30, 2024 Version 5.2.1.0

Features

Cluster management interface supporting many system administration features for clustered deployments via the WSM UI

Enhancements

Numerous usability and workflow improvements to Page Integrity and Content Security Policy features

Bug fixes

Resolve issue with bot management User-Agent content causing some WAFs to not always use latest release
Resolve a potential infinite loop config sync issue related to OAuth settings
Make WSM agent provision new appliances correctly in non-AWS environments

Release date: October 21, 2024 Version 5.2.0.6

Features

Support authenticated scans for customers with StateRAMP requirements

Enhancements

Require the updated WSM agent with IMDSv2 support
Use EC2 IMDSv2 for metadata calls in AWS

Bug fixes

Do not log OTP details when importing OTP users

Release date: October 1, 2024 Version 5.2.0.5

Features

STIG/SCAP 1.3 appliance report generation

Bug fixes

Prevent infinite queueing of ACME SSL certificate auto-renewal
Update server CA SSL certificate if it is not valid

Release date: September 19, 2024 Version 5.2.0.4

Features

IP blocklist filter allows users to search blocked IP addresses

Bug fixes

Resolve an issue with automatic ACME certificate renewals
Fixed refresh functionality for all script resources
Correctly keep SBOM/license manifests up-to-date
Run AIDE/ClamAV immediately upon activation
Adjust OpenSSH ciphers on appliances that support FIPS mode
Resolve an issue with syslog over TLS
Correctly configure and use management UI's CA chain

Release date: September 12, 2024 Version 5.2.0.3

Features

Allow AIDE/ClamAV to run scans on demand via REST API
Require MFA verification codes during OTP setup

Enhancements

Disable password-only management UI user login if SSO or TOTP is enabled
Advanced Signatures release 5.3.0.6 improving XSS detection and extending file upload inspection
Disable and stop management httpd server on AWS auto-scaling workers
Improve IP blacklist management with large IP assets
Toggle visibility when changing user password in appliance user management

Bug fixes

Fix whitelist configuration-related race condition that generated incorrect error messages
Do not disable source IP auto-block feature when Data Anonymization (GDPR-level obfuscation) is enabled but IP masking is disabled
Resolve an issue with file permissions being incorrect for management UI SSL certificate after upload

Release date: September 2, 2024 Version 5.2.0.2

Features

Local UI login MFA/OTP authentication support
Local UI login OAUTH2 authentication support
DNS over TLS and DNSSEC support
File system integrity checking
API method to configure DNS servers

Enhancements

Password validation requirement settings are more stringent by default
Key size requirements for the management UI cert updated
Remove the requirement for a HostedZoneID for ACME cert validation

Bug fixes

Correctly allow Content-Type exceptions from deny log
Resolve issues with IP list synchronization in AWS auto-scaling clusters
Gracefully deal with waf-core/nginx resolver configuration when no DNS servers are configured
Properly utilize layer 7 throttling when proxy mirrors are in use
Resolve minor issues with CSP-builder and page integrity checking
Resolve issues with layer 7 IP list usage
Resolve an issue with ACME cert selection
Switch internal IP tracking from IPs to CIDR IP ranges

Release date: July 16, 2024 Version 5.2.0.1

Features

Expose Software Bill Of Materials and open source licenses in the WAF user interface
Monitor and log detected malware to Alert Logic backend

Bug fixes

Insert request HTTP headers causing issues with Location redirects
Resolve issue with deny log filtering in the WAF UI terminating the user's login session
Restrict ACL file upload limit to global max

Release date: June 28, 2024 Version 5.2.0.0

Features

Page integrity checking to support PCI DSS 4.0 (6.4.3, 11.6.1) Client Protection requirements
Content Security Policy builder to support PCI DSS 4.0 (6.4.3, 11.6.1) Client Protection requirements
Upgrade WAF to targeted version via the appliance UI
Support 403 Forbidden results and error codes for blocked HTTP requests

Enhancements

Save and show SSL certificate information for ACME issued certificates in the Alert Logic console
Automatically enable data anonymization on FIPS appliances
Enhanced attribution of source IP blocking to more specific deny reasons
Update general signatures to v5.3.0.5 to improve XSS coverage
Only log invalid sync messages from configured cluster IP
Allow 100.64.0.0/10 IP address space for WAF management

Bug fixes

Update JSON parser
Resolve issue with IPs on network block list not being used for layer 7 blocking
Fix a race condition in IP categorization
Stop doing DNS resolution when checking for valid IPv4
Resolve issues with automated maintenance updates (content, GeoIP databases, etc.)

Release date: May 22, 2024 Version 5.1.4.1

Bug fixes

Allow daemons to start without interference after user-specified upgrades
Allow deletion of ACL paths that include HTML entities
Properly schedule reload/restart of the daemon that restarts other daemons

Release date: May 20, 2024 Version 5.1.4.0

Features

Oracle Linux 8 Security Technical Implementation Guide - MAC II - Sensitive-system hardening
Support user-specified egress IP network filtering
Support regular ASV scans
Support user-specified upgrades of auto-scaling stacks

Enhancements

Update SQLite

Bug fixes

Resolve issues syncing regex ACLs and ordered ACLS in HA clusters
Resolve issue with bot management by properly matching certain L7 attributes

Release date: March 25, 2024 Version 5.1.3.0

Features

Added ACME certificate management support, including automatic SSL certificate renewal
Introduced HTTP request throttling based on classifications of the source IP (e.g. GeoIP)

Enhancements

Show blocked country code in deny log of requests blocked by GeoIP
Improve resilience of an internal service related to features such as detecting anomalous sessions
Add minor Fortra branding changes to the UI

Bug fixes

Delete OpenAPI definitions when a proxy is deleted
Fix a config sync issue by properly comparing all data structure variants
Add support for signature class exceptions for custom signatures in the advanced signature engine
Fix multiple issues with CAPTCHA logic
Prevent DDoS detection from starting until it has been turned on
Fix race conditions and improve resilience of an internal service related to detecting anomalous sessions

Release date: March 15, 2024 Version 5.1.2.1

Enhancements

Show ACL type in the web application overview list

Bug fixes

Allow the management UI to work with custom PKCS12 certificates/keys
Allow dashes in Open API paths' parameter names
Make ACL matching case insensitive when case insensitivity is selected
Delete OpenAPI definitions when a proxy is deleted

2023 (5.x)

Release date: December 10, 2023 Version 5.1.2.0

Features

Google reCAPTCHA and hCaptcha integration via interstitial page injection

Bug fixes

Prevent deactivation of global L7 blocking settings if particular websites are using it
Avoid URL collisions in paths used by both protected websites and internal captcha redirects
Correctly enforce large URI first line request limits
Improve DNS resolution resiliency for single-protocol sites with backends defined by hostname

Release date: November 2, 2023 Version 5.1.1.0

Features

API optimized DDoS protection option in Azure and AWS based on automatically generated rulesets of known-good clients
Improved logging of session anomalies to the deny log
Bot management reporting capability

Enhancements

Mitigate HTTP/2 rapid resets with per-iteration stream handling limit
Transmit additional uptime details with the existing uptime monitoring check
Improve efficiency of loading an IP database in core worker processes

Bug fixes

Restore DDoS configurations properly on autoscaling deployments
Correctly parse out hyphenated hostnames for some blackholed requests
Correctly parse out the HTTP method for requests using HTTP/2 and client authentication
Various improvements to bot and client management user interface
Fix validation issue in web form for restricting request length and number
Fix validation issue in web form for layer 7 source IP blocking
Support CamelCase in OpenAPI schemas
Preserve and restore non-alphabetic ACL orderings
Skip public IPs of trusted proxies in XFF headers

Release date: August 8, 2023

Alert Logic has announced that Fortra's Managed WAF will "end of life" (EOL) software versions prior to version 5.x as of March 31, 2024. If you are running version(s) of Managed WAF that will be affected by this EOL, we strongly urge you to contact our dedicated Security Operations team at support@alertlogic.com to schedule an update to the latest version. For additional information, refer to our software update.

Release date: July 12, 2023 Version 5.1.0.2

Features

Automated challenge-based DDoS protection in AWS - pushing protection into AWS infrastructure

Enhancements

Support AWS IMDSv2 API for host metadata
Support X-Forwarded-For source IP parsing for requests going to the black hole
Use systemd for al-core service start/stop

Bug fixes

Fix initialization error in certain ACL policy overrides
Only add vhost alias for a domain to its "www." proxy if not already present for another website
Improvements to PKCS12 certificate key encryption
Solve conflict when CSRF protection (response rewriting) and dynamic HTTP response caching are both enabled
URL decode software packaged filenames properly when looking for updates in S3 repos
Normalize filenames in multipart file upload HTTP requests to prevent spurious decoding violations
Ensure XXE parsing state is properly preserved in all cases to prevent spurious violations
Ensure strictest source IP controls combination is selected when multiple Source Control Groups apply in L7 Source IP and Geolocation based controls

Release date: May 24, 2023 Version 5.1.0.1

Features

Support managing RFC1918 addresses as a separate Source Class in L7 Source IP and Geolocation based controls
Send additional audit log to Fortra log backend

Enhancements

Update dependencies not already part of automatic updates
Emit a "wsm-cert-monitor" log when certificates approach expiration dates
Update Web Session Anomaly Detection sensitivity definitions
Several improvements to CAPTCHA capability
Redact sensitive values in the config object sent to the backend

Bug fixes

Resolve an issue in UTF-8 detection in the WAF engine introduced in version 5.1.0.0 which could lead to a 500 Internal Server Error
Support ACL path regexes with curly brackets
Set correct permissions on some log files
Improvements to error message to read-only users attempting disallowed actions
Set correct violation for requests with an unspecified protocol
Fix issue where caching of XML parse results can lead to subsequent similar XML payloads not being validated correctly

Release date: April 19, 2023 Version 5.1.0.0

Features

Detection of anomalous HTTP sessions
Bot and client automation management
Generalized interface for managing client connection trust
API Support - including OpenAPI specification import

Enhancements

Improved decoupling of monitoring components
Performance optimizations per request
Redirects to centralized documentation
Support giving an appliance a nickname
Support unrestricted file uploads within an application
Improve completeness of deny logs exported to S3

Bug fixes

Fixed a slow memory leak in database lookups of private IPs
Fixed a slow memory leak in core request handling code
Allow header validation rules to be added/saved without a tag
Use updated configuration commands for connection rate limiting
Stop noting redirects issued by the WAF as violations
Remove a stale config file if it is not in the current format
Timeout vhost test request in the UI after one second
Properly trim log details

2022 (4.x and 5.x)

For 2022, Alert Logic supports only WAF as an inline service. Thus, release notes under this section are only in reference to the inline versions of WAF.

Release date: November 18, 2022 Version 5.0.3.0 (only)

Features

New deny log format for Alert Logic backend preserving multiple violations for single requests
Expanded virtual patch capabilities
Support dynamic export of non-anonymized data prior to recording anonymized logs
Support pinning signature versions
Support tagging custom signatures with a meaningful name

Enhancements

Support case sensitivity overrides in ACLs
Improve default settings for new websites and management interface
Improve default SSH settings
Recognize new JSON-based MIME types as JSON
Increase sync message size limit
Update certificates used during software updates
Minor improvements to several existing general signatures

Bug fixes

Handle text/plain parsing correctly in all cases
Remove references to "trial version"
Resolve issue with handling charsets of backend certificate DNs
Resolve issue with captcha settings affecting some upgrades
Ensure ACL order is always preserved when importing a configuration
Require updated agent for backend communication
Removed unneeded repository configurations
Rotate the attack log appropriately

Release date: September 2, 2022 Version 4.6.2.1 (only)

Enhancements

Improve settings for default reference clock

Bug fixes

Validate and enforce SSL CA order correctly
Sync SSL client CA certificate properly on auto-scaling WAFs
Persist system hostname after reboot

Release date: September 1, 2022 Version 5.0.2.1 (only)

Features

Data anonymization: irreversible obfuscation of client input to move WSM log data out of scope of privacy requirements like GDPR, HIPAA, the UK Data Protection Act of 2018, and Australian Information Privacy Act 2009.

Enhancements

Support TLS 1.3 automatically when communicating with backend servers
Improve settings for default reference clock

Bug fixes

Enforce all policies when brute force protection has no CAPTCHA selected
Validate and enforce SSL CA order correctly
Sync SSL client CA certificate properly on auto-scaling WAFs

Release date: August 4, 2022 Version 4.6.2.0 / 5.0.2.0

Features

Detect brute force password guessing and credential stuffing and prevent by enforcing a CAPTCHA
Switch to Oracle Linux 8

Enhancements

Allow NICs without support for legacy settings
Display NTP settings in the UI
Improve validation of core settings on master before synchronization to workers
Integrate with new edge actions API in support of Intelligent Response
Use systemd consistently on WSM 5+

Bug fixes

Allow file upload setting changes when using legacy signatures
Improve repo settings for automated system updates
Skip cookies when running signatures over HTTP headers
Skip Cookie header when running signatures over HTTP headers as each individual cookie is validated separately
Handle wide character issues during command line normalization
Eliminate false positives in one alarm related to appliance monitoring
Stop writing duplicate logs on autoscaling workers
Validate 'null' payloads in JSON correctly
Improve check for RE2 compatibility in signatures

Release date: April 12, 2022 Version 4.6.1.2 / 5.0.1.2

Enhancements

Add support for Alert Logic Intelligent Response
Standardize on dynamically-generated health response for all deployments
Improve crypto-policy and encryption algorithm defaults
Make cluster IDs configurable and persistent across changes to sync settings
Decode %u encoding if allowed in the config

Bug fixes

Ensure synchronization of DNS settings for auto-scaling WAFs
Filter out possibly empty management interface configs
Add further guards against an improper bootstrap in AWS
Add a health check for a read-only filesystem
Alarm on additional signals in the error log
Make adaptive protect mode default to off
Truncate large deny logs properly in all cases
Remove unnecessary modules left over from upgrades from WSM 4
Remove internal debug info from violations logged for invalid JSON

2021 (4.x and 5.x)

Release date: December 10, 2021 Version 4.6.1.0 / 5.0.1.1

Enhancements

Separate %U decoding into multiple configuration options
Allow selection of GeoIP address lookup order
Display implied regex anchors whenever they will apply to header validation rules

Bug fixes

Disable bootstrap user after an appliance is claimed
Handle AWS S3 errors during bootstrap gracefully
Allow ipset restore to add overlapping subnets
Apply API-driven changes to website aliases automatically

Release date: November 15, 2021 Version 4.6.1.0 / 5.0.1.0

Features

Improved XSS signatures
Improved password management for API users
Support SNI for health-checking https backends

Bug fixes

Resolve issue in handling end-of-file during high-volume log transport
Make several violation types more uniform in their presentation
Resolve issue with logging identity of internal users
Inspect file uploads only when the new signature model is enabled

Release date: October 15, 2021 Version 4.6.0.19 / 5.0.0.19

Features

FIPS mode for WSM 5

Bug fixes

Allow PUT requests without a recognized Content-Type if bypass is enabled
Correct SSL certificate permissions issue
Word-break long hostnames in the deny log
Gracefully handle certain SSL read errors in backend health checks
Increase allowed duration of network time requests

Release date: October 4, 2021 Version 4.6.0.18-3249 (all inline platforms) / 5.0.0.18-648 (AWS AMI non-FIPS)

Features

Attack signatures usage now includes advanced engine with header evaluation built in
Improved time-keeping with multiple fallbacks
Improved defaults (advanced signature engine; file upload inspection; emerging threat detection; and opt-in learning)

Bug fixes

Trim learn stats more frequently
Always regenerate core configs during migrations
Remove outdated version check
Perform additional database integrity checks
Skip proxy syncs when no proxies are found

Release date: September 9, 2021 Version 4.6.0.17 (all platforms) / 5.0.0.17 (AWS AMI non-FIPS)

Bug fixes

Eliminate backtracking in the command line normalizer

Release date: August 25, 2021 Version 4.6.0.16 (all platforms) / 5.0.0.16 (AWS AMI non-FIPS)

Features

Display IPs blocked as a result of setting a connection limit
Extend the REST API to support fetching access logs
Automate updates of system packages

Bug fixes

Wrap the text of long Referer URLs in the UI
Minor improvements to system log transport
Anchor ACL path regex when finding matches
Never enable default HTTP/HTTPS in created templates
Correct UI regression in show original request view on WSM 4

Release date: August 3, 2021 Version 4.6.0.15 (all platforms) / 5.0.0.15 (AWS AMI non-FIPS)

Bug fixes

Resolve high-availability cluster sync regression
Allow read-only users to connect from the Alert Logic console
Preserve transparent proxy settings when applying configurations

Release date: July 15, 2021 Version 4.6.0.14 (all platforms) / 5.0.0.14 (AWS AMI non-FIPS)

Bug fixes

Re-initialize message queues upon restoring/importing system settings
Allow sync daemon to health check via loopback

Release date: July 13, 2021 Version 4.6.0.13 (all platforms) / 5.0.0.13 (AWS AMI non-FIPS)

Features

Show number of files associated with excess upload attempts
Allow full search text search on 'info' deny log field
Add HTTP/4848 health check to non-autoscaling deployments
Support delegated credentials for automated response integration

Bug fixes

Prevent significant CPU consumption during normalization of some requests
Support non-compliant multipart form boundaries
Sort the list of available backups
Support larger deny logs
Ensure AWS auto-scaling deployments have a default configuration

Release date: July 9, 2021 Version 4.6.0.12 (all platforms) / 5.0.0.12 (AWS AMI non-FIPS)

Features

Integrate with incident API to support automated response
Support migration of transparent proxy from WSM 4 to WSM 5
Improve configuration sync on AWS auto-scaling deployments
System log display rendering improvements
Internal enhancements to log transport components
Add include sub option to log filter violation filter

Bug fixes

Correctly sort log events
Sync website configs in an optimal order
Adjust log rotation/retention configuration
Remove irrelevant warnings
Ensure all system configuration elements can be saved in UI
Correctly match VLAN interface ID mapping
Concatenate multi-line syslog messages
Allow header/body filters to work on WSM 5
Resolve precedence between GeoIP-blocked and blackholed requests
On WSM 5, ensure log volume is preserved and mounted when master instance is replaced
Prefer configured UUID over provisioning UUID for heartbeating
Prevent auto-scaling worker instances from running wsm_bootstrap loop
Restart framework after WSM update
Regenerate core configuration after SSL certificate REST API update
Allow "0" when validating an HTTP header
Remove 240.0/8 loopback IPs from the UI
Layer 7 blocking should ignore invalid IPs in XFF
Re-open database handles after daemonization in one service
Miscellaneous packaging improvements and system software updates

Release date: April 19, 2021 Version 5.0.0.11 (AWS AMI non-FIPS)

Features

Improvements to CPU and RAM utilization
Log transport agent updated to use newer log ingestion system
Support provisioning in additional data centers

Bug fixes

Allow UI to save policies with over 248 global parameters
Support multi-line syslog messages and system logs in new log agent
Ensure admin daemon restarts service dependencies robustly

Other changes

Remove AWS autoclaim agent

No 4.6.0.10 release exists.

Release date: March 18, 2021 Version 5.0.0.10 (AWS AMI non-FIPS)

Features

Support DHCP assignments with /32 netmask

Other changes

Update jQuery

No 4.6.0.9 release exists.

Release date: March 8, 2021 Version 5.0.0.9 (AWS AMI non-FIPS)

Features

Support JSON lines format for S3 deny log export
Enhance deny log to include string that triggers double encoding violation

Bug fixes

Resolve issue where daemons were not restarting when certain config changes were committed
Resolve issue uploading PEM certificates with separate chains and with uploading PKCS#12 certs/keys
Resolve issue affecting ACL policy manipulation
Suppress errors from update tools when deployment-specific repo bundles are not in use

5.0.0.8 was not released for Managed WAF.

No 4.6.0.8 release exists.

Release date: February 9, 2021 Version 4.6.0.7 (all platforms) / 5.0.0.7 (AWS AMI non-FIPS)

Features

Extend virtual patch support to include Base64 decoding support

Bug fixes

Resolve rare issue with host/role in config generation
Resolve issue with configs where both session persistence (cookie, source IP, etc.) and real server failover was enabled at the same time
Fix internal get_worker_status ops tool
Resolve issue with FIPS mode detection on non-FIPS kernels

No 4.6.0.6, 5.0.0.5, or 5.0.0.6 releases exist.

Release date: January 29, 2021 Version 4.6.0.5 (all platforms) / 5.0.0.4 (AWS AMI non-FIPS)

Changes

Update sudo

Release date: January 27, 2021 Version 5.0.0.3 (AWS AMI non-FIPS)

Features

Support for TLS 1.3
Support for HTTP/2
Support for proxying Web Sockets
Support for proxying gRPC

Release date: January 19, 2021 Version 4.6.0.4

Features

Extended support for virtual patches
New virtual patches with coverage related to SolarWinds compromise

Bug fixes

Improved validation of SSL certificate uploads
Improved handling of certificate revocation lists

2020 (4.x)

Release date: November 3, 2020 Version 4.6.0.3

Bug fixes

Resolve permissions issue and timing issues in AWS master config sync
Resolve country code discrepancy issue in the deny log
Resolve country code discrepancy issue in the deny log
Improve handling of formats for upstream response time value
Reformat deny log to be parseable in search again
Upgrade onboard database software (SQLite)
Minor internal fixes in support of future enhancements

Release date: October 8, 2020 Version 4.6.0.2

Bug fixes

On upgrade, handle ACL paths with regex meta characters correctly

Release date: September 9, 2020 Version 4.6.0.1

Bug fixes

On upgrade, migrate to more configurable HTTP method inspection correctly
Discover recent changes to health-check configuration correctly

Release date: August 31, 2020 Version 4.6.0.0

Features

Support exporting deny logs to an S3 bucket
Support syslog over TLS
Support vpatches for emerging threats
Send additional details to Log Manager regarding generic protocol violations
Improve handling of XML
Improve configurability of body permissions and actions across methods
Minor signature improvement
Numerous performance and portability improvements to WSM internals

Bug fixes

Interpret and synchronize extended syslog config correctly
Check multiple virtual patches matching a path
Fix issue with WSM dashboard not displaying through the AL console
Allow OPTIONS method when no application path config is present
Support separate default vhosts for both HTTP and HTTPS
Send certificate metadata to backend in all cases
Avoid double-escaping regex application paths during upgrades and imports

Release date: May 5, 2020 Version 4.5.9.1

Bug fixes

Improved utf8 handling
Resolved an issue with displaying HTML5 graphs in the console
Improved mqueue allocation during an upgrade

Release date: April 7, 2020 Version 4.5.9.0

Features

Alert Logic now supports new collections of virtual patches (highly-targeted security content for specific vulnerabilities)
Replaced Flash-based UI graphs with HTML5 charts
Improved multibyte support
Allowed GET requests to have a body
Treated expected redirects of HTTP to SSL as non-violating
Minimized UI presentation of sequentially-duplicated system logs
Supported custom log fields in extended enhanced alert log
Used ISO date format for audit logs
Allowed quoted multipart boundaries
Supported SameSite cookies
Supported customizable 307/308 redirects
Supported negation of deny log filter expressions
Supported optional silencing of GeoIP access violations
Expanded character set in the default URL class definition
Added cipher and TLS version as options for custom access log format
Covered additional SQLi conditions with improved security content

Bug fixes

Properly decoded HTML entities when dealing with customer-defined web ACLs
Validated SSL PEM certificates on upload regardless of the "Validate certificate chain" option
Corrected an issue with updating CRL lists
Properly matched regex-based ACLs when adding to them from the deny log view
Updated text in "Add from deny log" functionality
Updated OpenSSH
Updated console URLs in login page
Removed source IPs which have been removed from the teacher node's blacklist
Improved X-Forwarded-For parsing
Made SSL certificate generation default to 2048 bit keys
Used default HTTPS proxy settings correctly
New web ACLs now inherit allowed HTTP method settings
Improved logging for the health check daemon
Improved automated detection of XML content

2019 (4.x)

Release date: November 21, 2019 Version 4.5.8.0

Features

Use regular expressions in web application paths (Note: existing paths will be converted to regexes automatically)
Improve handling of UTF-8 encoding in policy values
Add file extension validation framework
Prioritize GeoIP lookups by represented country, registered country, and RIR assignment country order (Note: This product includes GeoLite2 data created by MaxMind).
Add trusted proxy support for black hole
Offer extended alert log format
Support ECDSA keys for TLS proxies (mutually exclusive with RSA)
Release package updates for base OS security
Block TRACE method on Management UI

Bug fixes

Fix response body rewriting consistency when learning engine is enabled
Fix issue where health check daemon could miss config change notifications

Release date: September 26, 2019 Version 4.5.7.0-2249

Features

Support sending SNI to upstream servers
Support future hotfix deployments independent of upgrades
UI to multi-select country codes
UI to copy deny log details to clipboard
UI warning when enabling proxy protocol
Disable legacy SSH algorithms
Deterministic package installation order for new physical/virtual deployments
API for managing redirects and aliases
Generate warnings when auto-scaling worker sync is blocked
Improvements to deny log parser error handling
Protocol violations should not log entire payload
Reduce false positives on XPATH signatures
Skip [ TRUNCATED ] suffix when adding parameters from log
Remove low-confidence XPATH signatures

Bug fixes

Replace message queue implementation for deny logs, learning data, and response inspection
Always validate request headers using general rules in addition to header-specific validation
Allow ACL definitions to be agnostic about trailing slashes
Match newlines when masking deny log input
Make signature package updates visible in UI
Improve access log routing for auto-scaling deployments with more than ten proxies
Use correct package name when updating signatures on autoscaling worker instances

Release date: June 13, 2019 Version 4.5.6.3-2084

Features

Switched to a new GeoIP2 database format for more accurate geolocation data. This product includes GeoLite2 data created by MaxMind.

Release date: May 7, 2019 Version 4.5.6.2-2030

Features

Reduced false positives in OS Commanding signatures.

Bug fixes

Preserved policy routes when upgrading.

Release date: April 9, 2019 Version 4.5.6.1-1976

Features

Allow single-quoted strings in JSON parser
RPC audit logging overhaul
Expose an option to disable Alert Logic Managed Web Application Firewall (WAF) default inspection scope
Return signature info in response headers in signature test mode
Detect evasion attempts using request body header tricks
Replace ntpd
Reduce false positives
Change authentication mechanism for repository access
Content validation data collection framework
Allow malformed UTF-8 encodings in JSON payloads
Further improvements to TLS key handling

Bug fixes

Persist policy routing priorities
Web App IDS deny log notes correct action on requests to unknown hosts
Prevent errors from terminating syncd
Prevent proxy error log duplication
Allow overlapping system gateway to match a whitelist

Signature changes

Package renamed to accommodate breaking changes
Removed RFI to reduce false positives
Improved general coverage
Improved SQLI coverage

2018 (4.x)

Release date: December 14, 2018 Version 4.5.6.0-1839

Features

Add Joomla PHP injection signature to header validation
Add underlying support for nvme1n1 for new instance types
Allow access logging of calculated remote IP
Allow more granular control of email notifications
Improve TLS key handling
Install operations tool by default
Relax JSON parser to allow scalar string data
Release new kernel
Require latest DNS SQLi signature
Support TLDs up to 32 characters long
Support configurable DTD validation when parsing XML payloads
Turn on filename validation by default
Update several common software packages

Bug fixes

Align utf8 usage in WAF core and the Alert Logic console
Allow the trusted proxy setting to be reset to undefined
Fix WAF display for read-only users in the Alert Logic console
Fix bug in reading attribution signatures
Rotate deny log database more gracefully
HUP syslogng after rotating access log
Improve header validation / RFC enforcement options
Send HSTS headers on WAF error pages
Suppress sensitive metadata in log

Signature changes

DNS exfiltration
Date field for classification signatures
Improved OSC / removed OSC_TRAIL_PIPE
Improved PHP INJ signature
New OSC and SQLI signatures

Release date: August 14, 2018 Version 4.5.5.1-1683

Features

Improved OS commanding detection

Bug fixes

Proxy would improperly block certain OS commanding violations with HTTP 500 errors regardless of policy setting

Release date: August 7, 2018 Version 4.5.5.0-1668

Features

Clean up orphaned package management transaction files
Improve deny log rotation performance
Reduce alarm flapping
Log the offending part of abnormally large payloads
Watchdog enhancements
Enable "Accept underscore characters in request headers" by default
Allow certain alarm conditions to automatically clear when the alarm condition is no longer present
Normalize and de-duplicate virtual host aliases to lowercase
Allow optional port numbers in X-Forwarded-For header parsing
Add configurable back-off period for auto-clearing alarms
Improved OS Commanding detection
Updated signature content
Add Drupal signature as a custom signature to new proxies
AWS Enhanced Networking Adapter foundational support, pending AMI release
Improve cluster synchronization resilience to network errors

Bug fixes

Passive WAF logged proxy IP instead of trusted X-Forwarded-For IP in some circumstances
Error saving intermediate certificate when "Validate certificate chain" is enabled
Strip request headers entirely when required by policy, rather than only removing the value
Deny log processing could stall on Passive WAF
Passive WAF feature can be fully enabled without requiring sensor reboot

Release date: June 7, 2018 Version 4.5.4.3-1586

Features

Add support for AWS S3 bucket server-side KMS encryption

Release date: May 8, 2018 Version 4.5.4.2-1545

Features

Improved audit logging

Bug fixes

Fix a rare memory leak

Release date: April 9, 2018 Version 4.5.4.1-1501

Bug fixes

Fixed issue displaying deny logs with malformed utf8 data
Resolve UI error related to IP sharding feature
Fixed grouping by country in the deny log dashboard
Stop logging at 10% free space left on Passive WAF
Read the correct core error log on auto-scaling masters

Release date: March 6, 2018 Version 4.5.4.0-1461

Features

Support inline WAF on Google Compute Engine
Updated kernel
Replaced string search algorithm
Relaxed threshold for waf-core-cpu alarm

Bug fixes

Prevent autoscaling master instances from syncing backup to S3 when unhealthy
Restored "Insert" option on response header rewrite rules when using more than 4 entries
Fixed L7 blacklist syncing for CIDR ranges
Restored missing fields in deny log in edge case

Release date: January 30, 2018 Version 4.5.3.4-1418

Bug fixes

Resolve an issue which could prevent certain global system settings from syncing to autoscaling workers and HA learners
Resolve a slow memory leak in the proxy core

Release date: January 4, 2018 Version 4.5.3.3-1395

Bug fixes

Restore allowed HTTP method types in policy ACLs correctly when restoring backups or replacing autoscaling master instances

2017 (4.x)

Release date: November 14, 2017 Version 4.5.3.2-1320

Features

Activate JSON parser for a wider content-type range
Enable response inspection by default on Passive WSM
Support tilde and percent in external redirects
Parse cookies more strictly
Configure AWS auto-scaling master as undisciplined clock

Bug fixes

Resolve a circumstance which caused DHCP to be enabled improperly on new sensors
Don't log the RAW body twice on Passive WSM
Allow large file uploads when Content-Length is set
Resolve UI error when deleting phantom static routes
Resolve minor issues in SSL client auth handling

Release date: August 2017 Version 4.5.3.1-1204

Bug fixes

Fix a regression that broke new routing proxy deployments

Release date: July 17, 2017 Version 4.5.3.0

Bug fixes

Improved response inspection/analysis statistics to eliminate sources of inaccurate criticality scoring.
Resolved an issue with multi-node configuration sync that could interrupt cluster sync operations.
Resolved an issue preventing blacklist not syncing from master to learner nodes in some scenarios.
Addressed an issue related to high CPU consumption when running scans against WSM in some customer environments.

Features

Added API calls to import and export site policy templates via WSM management API.
Added an option to close connection on 502 errors.
Improved network performance in customer environments with high rates of requests and concurrent requests.

Security

Resolved nginx range filter potential leakage/denial of service vulnerability (CVE-2017-7529).

Changes

Management UI now requires TLS 1.2+.

Notice

None

Release date: April 12, 2017 Version 4.5.2.4

Bug fixes

Addressed an issue introduced in 4.5.2.1 release causing unexpected proxy update/delete behavior.

Security

Removed potential for theoretical XSS within a specific dialog.

Release date: March 13, 2017 Version 4.5.2.2

Bug fixes

Improved log rotation/log storage database to reduce contention and improve log rotation process.
Resolved a rare issue with CPUs without AVX support.

Features

Added Apache Struts (CVE-2017-5638) header validation rule and included in default template.
Added option to globally enable proxy protocol for all listen IPs

Changes

Changed WSM “Import Proxy Template” API call to match documentation.

Release date: February 21, 2017 Version 4.5.2.1

Bug fixes

Resolved an issue related to falsely indicating versions within a cluster.
Addressed a small number of scenarios where license keys incorrectly report that they are invalid.
Addressed scenarios where the appliance watchdog service may inadvertently not be running.
Resolved several minor typos in the user interface.
Resolved an issue where changed cluster passwords were not replicated through the entire system.

Features

Added per-site policy GeoIP-based blacklisting/whitelisting functionality.

Security

Added internal last modified date for CRUD operations on websites, to be relayed to Alert Logic’s backend.

Changes

User interface will now prevent a proxy creation that overlaps on IP:port between another proxy/protocol.
Increased internal daemons dealing with syslog messages now have higher free disk thresholds, consistent with alarms.

Release date: February 7, 2017 Version 4.5.2.0

Bug fixes

Resolved an issue where stats database could end up with improper permissions.
Resolved potential slow memory leaks with stats collector.
Improved watchdog recovery of logging agent.

Features

Completed support for new AWS regions that require both HVM and v4 signatures.

Changes

Introduced dependency on new health monitoring agent.

Release date: January 19, 2017 Version 4.5.1.2

Bug fixes

Improved logging related to blocking/blacklisting IPs, both removing excess errors and ensuring details are properly logged.
Ensure blocking configuration files are properly written during AWS master re-spins.
Resolved issue with block timeouts falling back to default rather than using configured timeout.
Resolved an issue with adding overlapping ranges to blacklists that resulted in some IPs not blacklisted.

Features

Extended maximum header size limitation to optionally allow headers up to 32k.

2016 (4.x)

Release date

December 15, 2016 (4.5.1.1)

Bug fixes

Updated response inspection to pick up configuration changes when website configurations are changed.
Improved handling of learn candidate failures to prevent unexpected deny logs from being created from learn candidates.
Resolved an issue with System>Tools>Website Configuration preventing expected configuration content from being returned.
Addressed an issue that may result in unexpected mismatched version alarms within a cluster.

Features

N/A

Security

Provided an updated kernel to address potential security vulnerabilities (including dirtyc0w).

Changes

Updated several minor issues in the REST API and added a new API call to get IP addresses.
Updated invalid hostname violation to enforce SSL hostname restrictions.
Provided an affordance for single quotes present in file paths to be allowed by modifying the allowable files regular expression.

Notice

N/A

Release date

October 27, 2016 (4.5.1.0)

Bug fixes

This release removes the unexpected need for initial configuration save and restart of the WSM appliance UI at provisioning time.
This release resolves an issue where backend server violations did not always log headers.
This release resolves an issue where layer 7 blocking did not always work following autoscaling instance respins.
This release removes superfluous error generation when syncing routing proxy configs.
This release improves resilience of deny log transport in certain edge cases.
This release improves storage of datacenter affiliation configuration.
This release adds functionality to always include response parameters (even if values are empty) in deny logs to ensure logs are properly parsed.
This release improves Denial of Service mitigation setting configuration to ensure settings are saved and operate as expected.
This release addresses an issue related to response inspection learning that can lead to increased CPU consumption.
This release improves handling of iptables configuration to ensure appliance specific changes are not overwritten for both WSM Premier and WSM (Out of Band).
This release resolves a scenario where the ACL cache can be cleared during the autoscaling instance boot process.
This release improves payment card masking to reduce false positives in deny log masking.

Features

N/A

Security

This release updates HTTP SSL settings to lock down insecure ciphers and SSL/TLS for WSM (Out of Band).

Changes

WSM Appliance API users can now be created via UI, CFT, and during appliance provisioning.
WSM Appliance API users will now be indicated in the appliance UI.
IP Addresses extracted from X-Forwarded-For headers will now be the leftmost non-private IP.
Deny log rotation is now limited to preserving 100k records, which will be rotated more frequently.
Improvements to several WSM appliance alarms facilitate better monitoring and troubleshooting by Alert Logic operations teams.
Updated WSM appliance SQlite instance for improved stability and reliability.

Notice

N/A

Release date

September 19, 2016 (4.5.0.2)

Bug fixes

This release resolves an issue where Content-Type was not being matched case-insensitively.
This release improves handling of chunked multipart/form-data.
This release prevents multiple instances of internal services from running on the appliance.
This release resolves two minor syslog daemon configuration issues.
This release resolves an issue where invalid learn chunks could cause startup failures without manual intervention.

Features

N/A

Security

This release updates the embedded agent which now includes additional TLS1.2 support for Alert Logic services.

Changes

N/A

Notice

N/A

Release date

August 11, 2016 (4.5.0.0)

Bug fixes

This release ensures syslog daemon was restarted properly after upgrade.
This release resolves an issue with single tuned site configurations not properly transmitting log activity.
This release resolves an issues with configuration files potentially being overwritten during an upgrade.
This release resolves an issue during boot where AWS environments were not properly recognized.
This release resolves an issue with duplicate fwmark rules being created in transparent proxy deployments.

Features

This release adds capabilities to capture and analyze full server responses, providing the response and potential indicators of compromise within the UI and deny logs.
This release improves support for Azure WSM deployments, including adjustments to SSH ClientAliveInterval and the WSM configuration UI.

Security

This release resolves CVE-2016-4450 (a potential DoS condition in nginx).

Changes

This release removes VLAN submenu from WSM UI in deployments where it’s not used.

Notice

N/A

Release date

June 16, 2016 (4.4.3.0)

Bug fixes

This release resolves an issue with unnecessary services running on auto-scaling workers.
This release resolves an issue with connectivity to s3 during updates.
This release resolves several minor issues that could generate unexpected log output.
This release resolves several issues with the internal watchdog to improve resilience.
This release resolves an issue where SSL certificate chain expiration dates could appear incorrectly or be out of sync across components.
This release resolves an issue related to certain scans causing unexpected appliance behavior.
This release resolves an issue where certain scheduled tasks would not run in configured timezones.
This release resolves an issue where cluster IP alias limits were not functioning as expected in configuration UI.
This release resolves an issue with custom access log formats not behaving as expected.

Features

N/A

Security

This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108 and CVE-2016-2107).

Changes

This release further restricts remote login access via SSH to internal and Alert Logic networks.

Notice

N/A

Release date

April 21, 2016 (4.4.2.0)

Bug fixes

This release resolves an issue causing proxy stats database to grow excessively large in size.
This release resolves an issue with a dependent service failing to auto-upgrade during provisioning.
This release resolves an issue with missing configuration settings not being restored during re-spin in AWS auto-scaling deployments.
This release resolves an issue with WSM agent service consuming resources on AWS auto-scaling workers.
This release resolves an issue with the management of multiple instances of dependent services.
This release resolves an issue with the bootstrap process when services are not immediately ready.
This release resolves an issue with AWS auto-scaling workers performing unnecessary S3 config backups.
This release resolves an issue related to layer 7 blocking, including a problem with timeout enforcement.

Features

This release adds several improvements relating to web security content, including additional details in the deny log when content is triggered.
This release adds support for monitoring RESTful API methods and zero-length requests that normally have a request body.
This release adds several improvements to aid in troubleshooting of WSM appliances, while improving monitored checks.

Security

N/A

Changes

This release changes worker CPU usage calculation to use standard deviation instead of min/max.
This release changes backend health check configuration to reject semicolons in path.

Notice

N/A

Release date

March 3, 2016 (4.4.1.0)

Bug fixes

This release resolves an issue where WSM user guides/help links may not have been accurate to the WSM version deployed.
This release resolves issues with several scenarios that could cause unexpected responses to carefully crafted requests.
This release resolves an issue causing failures importing PKCS12 certificates.
This release resolves an issue with static routes when using interface-specific gateways.
This release resolves an issue where temporary files remained after working with SSL cache.
This release resolves an issue where bypassing an unknown method (e.g. WebDAV LOCK) where parameters/cookies were present was not possible.
This release resolves an issue deploying customer-specific hotfixes to AWS auto-scaling deployments.
This release resolves an issue displaying deny log when Unicode encoded characters were present in an entry.

Features

This release adds support for worker access logs to be aggregated on master (similar to deny logs).

Security

This release updates glibc and openssl to address recent upstream security announcements.

Changes

This release extends enforcement of SSH access, eliminating remote access from the “operator” user.

Notice

N/A

2016 (3.2)

Release date

July 7, 2016 (3.2.38)

Bug fixes

N/A

Features

N/A

Security

This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108, CVE-2016-2107).

Changes

This release further restricts remote login access via SSH to internal and Alert Logic networks.
This release enables masking of sensitive payment card information in log data by default.

Notice

N/A

Fortra's Managed Web Application Firewall (WAF) Release Notes