Fortra's Managed Web Application Firewall (WAF) Release Notes
Fortra's Managed Web Application Firewall (WAF) release notes
Effective March 31, 2024, all versions of Managed WAF prior to v5.x will be End-of-Life (EOL) and unsupported. For additional information, refer to our software update.
Alert Logic does not automatically push new versions to customers, and an upgrade may be required if you need support on an older appliance.
Release date: December 9, 2024 Version 5.2.1.1
Features
-
Support weekly (per day) system update schedules and general system/OS package installation delay to support StateRAMP related integrity and change management requirements
-
Detect unauthorized software installs to support StateRAMP related requirements
-
Allow users to reset connection trust states for the entire system or for specific IP addresses
-
Allow untrusted peer syslog TLS protocol option allowing logs to be sent to internal syslog servers that use self-signed TLS certificates
-
Add option to generate a Page Integrity report showing all external and inline scripts in a single page
-
Option to require all user configured regex to be re2 regex engine compliant
Enhancements
-
Fallback to socket IP when other X-Forwarded-For options are exhausted instead of extracting potentially wrong IP address
-
Reject or issue issue warnings when regexes cause fallback to PCRE depending on re2 compliance setting
Bug fixes
- Preserve HTML entities when injecting CSP nonces while streaming responses from Page Integrity enabled backend servers
- Support HTTPS backends that require SNI when modifying HTML content required for Page Integrity protections
- Backup/restore support for all Page Integrity resources when doing both system-wide and individual website backup/restore operations
- Correctly truncate WAF deny log which - in rare corner cases - could lead to deny logs not being available in the UI
- Resolve UI element overflow glitch when showing network IP whitelist
- Generate Software Bill of Materials (SBOM) during package creation
- Quote meta characters when matching OpenAPI ACLs
- Prevent DNS exception configuration lock with certain StateRAMP settings
Release date: October 30, 2024 Version 5.2.1.0
Features
-
Cluster management interface supporting many system administration features for clustered deployments via the WSM UI
Enhancements
-
Numerous usability and workflow improvements to Page Integrity and Content Security Policy features
Bug fixes
- Resolve issue with bot management User-Agent content causing some WAFs to not always use latest release
- Resolve a potential infinite loop config sync issue related to OAuth settings
- Make WSM agent provision new appliances correctly in non-AWS environments
Release date: October 21, 2024 Version 5.2.0.6
Features
-
Support authenticated scans for customers with StateRAMP requirements
Enhancements
-
Require the updated WSM agent with IMDSv2 support
-
Use EC2 IMDSv2 for metadata calls in AWS
Bug fixes
- Do not log OTP details when importing OTP users
Release date: October 1, 2024 Version 5.2.0.5
Features
-
STIG/SCAP 1.3 appliance report generation
Bug fixes
-
Prevent infinite queueing of ACME SSL certificate auto-renewal
-
Update server CA SSL certificate if it is not valid
Release date: September 19, 2024 Version 5.2.0.4
Features
-
IP blocklist filter allows users to search blocked IP addresses
Bug fixes
-
Resolve an issue with automatic ACME certificate renewals
-
Fixed refresh functionality for all script resources
-
Correctly keep SBOM/license manifests up-to-date
-
Run AIDE/ClamAV immediately upon activation
-
Adjust OpenSSH ciphers on appliances that support FIPS mode
-
Resolve an issue with syslog over TLS
-
Correctly configure and use management UI's CA chain
Release date: September 12, 2024 Version 5.2.0.3
Features
-
Allow AIDE/ClamAV to run scans on demand via REST API
-
Require MFA verification codes during OTP setup
Enhancements
-
Disable password-only management UI user login if SSO or TOTP is enabled
-
Advanced Signatures release 5.3.0.6 improving XSS detection and extending file upload inspection
-
Disable and stop management httpd server on AWS auto-scaling workers
-
Improve IP blacklist management with large IP assets
-
Toggle visibility when changing user password in appliance user management
Bug fixes
-
Fix whitelist configuration-related race condition that generated incorrect error messages
-
Do not disable source IP auto-block feature when Data Anonymization (GDPR-level obfuscation) is enabled but IP masking is disabled
-
Resolve an issue with file permissions being incorrect for management UI SSL certificate after upload
Release date: September 2, 2024 Version 5.2.0.2
Features
-
Local UI login MFA/OTP authentication support
-
Local UI login OAUTH2 authentication support
-
DNS over TLS and DNSSEC support
-
File system integrity checking
-
API method to configure DNS servers
Enhancements
-
Password validation requirement settings are more stringent by default
-
Key size requirements for the management UI cert updated
-
Remove the requirement for a HostedZoneID for ACME cert validation
Bug fixes
-
Correctly allow Content-Type exceptions from deny log
-
Resolve issues with IP list synchronization in AWS auto-scaling clusters
-
Gracefully deal with waf-core/nginx resolver configuration when no DNS servers are configured
-
Properly utilize layer 7 throttling when proxy mirrors are in use
-
Resolve minor issues with CSP-builder and page integrity checking
-
Resolve issues with layer 7 IP list usage
-
Resolve an issue with ACME cert selection
-
Switch internal IP tracking from IPs to CIDR IP ranges
Release date: July 16, 2024 Version 5.2.0.1
Features
-
Expose Software Bill Of Materials and open source licenses in the WAF user interface
-
Monitor and log detected malware to Alert Logic backend
Bug fixes
-
Insert request HTTP headers causing issues with Location redirects
-
Resolve issue with deny log filtering in the WAF UI terminating the user's login session
-
Restrict ACL file upload limit to global max
Release date: June 28, 2024 Version 5.2.0.0
Features
-
Page integrity checking to support PCI DSS 4.0 (6.4.3, 11.6.1) Client Protection requirements
-
Content Security Policy builder to support PCI DSS 4.0 (6.4.3, 11.6.1) Client Protection requirements
-
Upgrade WAF to targeted version via the appliance UI
-
Support 403 Forbidden results and error codes for blocked HTTP requests
Enhancements
-
Save and show SSL certificate information for ACME issued certificates in the Alert Logic console
-
Automatically enable data anonymization on FIPS appliances
-
Enhanced attribution of source IP blocking to more specific deny reasons
-
Update general signatures to v5.3.0.5 to improve XSS coverage
-
Only log invalid sync messages from configured cluster IP
-
Allow 100.64.0.0/10 IP address space for WAF management
Bug fixes
-
Update JSON parser
-
Resolve issue with IPs on network block list not being used for layer 7 blocking
-
Fix a race condition in IP categorization
-
Stop doing DNS resolution when checking for valid IPv4
-
Resolve issues with automated maintenance updates (content, GeoIP databases, etc.)
Release date: May 22, 2024 Version 5.1.4.1
Bug fixes
- Allow daemons to start without interference after user-specified upgrades
- Allow deletion of ACL paths that include HTML entities
- Properly schedule reload/restart of the daemon that restarts other daemons
Release date: May 20, 2024 Version 5.1.4.0
Features
-
Oracle Linux 8 Security Technical Implementation Guide - MAC II - Sensitive-system hardening
-
Support user-specified egress IP network filtering
-
Support regular ASV scans
-
Support user-specified upgrades of auto-scaling stacks
Enhancements
-
Update SQLite
Bug fixes
- Resolve issues syncing regex ACLs and ordered ACLS in HA clusters
- Resolve issue with bot management by properly matching certain L7 attributes
Release date: March 25, 2024 Version 5.1.3.0
Features
-
Added ACME certificate management support, including automatic SSL certificate renewal
-
Introduced HTTP request throttling based on classifications of the source IP (e.g. GeoIP)
Enhancements
-
Show blocked country code in deny log of requests blocked by GeoIP
-
Improve resilience of an internal service related to features such as detecting anomalous sessions
-
Add minor Fortra branding changes to the UI
Bug fixes
- Delete OpenAPI definitions when a proxy is deleted
- Fix a config sync issue by properly comparing all data structure variants
- Add support for signature class exceptions for custom signatures in the advanced signature engine
- Fix multiple issues with CAPTCHA logic
- Prevent DDoS detection from starting until it has been turned on
- Fix race conditions and improve resilience of an internal service related to detecting anomalous sessions
Release date: March 15, 2024 Version 5.1.2.1
Enhancements
- Show ACL type in the web application overview list
Bug fixes
- Allow the management UI to work with custom PKCS12 certificates/keys
- Allow dashes in Open API paths' parameter names
- Make ACL matching case insensitive when case insensitivity is selected
- Delete OpenAPI definitions when a proxy is deleted
Release date: December 10, 2023 Version 5.1.2.0
Features
-
Google reCAPTCHA and hCaptcha integration via interstitial page injection
Bug fixes
- Prevent deactivation of global L7 blocking settings if particular websites are using it
- Avoid URL collisions in paths used by both protected websites and internal captcha redirects
- Correctly enforce large URI first line request limits
- Improve DNS resolution resiliency for single-protocol sites with backends defined by hostname
Release date: November 2, 2023 Version 5.1.1.0
Features
- API optimized DDoS protection option in Azure and AWS based on automatically generated rulesets of known-good clients
- Improved logging of session anomalies to the deny log
- Bot management reporting capability
Enhancements
- Mitigate HTTP/2 rapid resets with per-iteration stream handling limit
- Transmit additional uptime details with the existing uptime monitoring check
- Improve efficiency of loading an IP database in core worker processes
Bug fixes
- Restore DDoS configurations properly on autoscaling deployments
- Correctly parse out hyphenated hostnames for some blackholed requests
- Correctly parse out the HTTP method for requests using HTTP/2 and client authentication
- Various improvements to bot and client management user interface
- Fix validation issue in web form for restricting request length and number
- Fix validation issue in web form for layer 7 source IP blocking
- Support CamelCase in OpenAPI schemas
- Preserve and restore non-alphabetic ACL orderings
- Skip public IPs of trusted proxies in XFF headers
Release date: August 8, 2023
Alert Logic has announced that Fortra's Managed WAF will "end of life" (EOL) software versions prior to version 5.x as of March 31, 2024. If you are running version(s) of Managed WAF that will be affected by this EOL, we strongly urge you to contact our dedicated Security Operations team at support@alertlogic.com to schedule an update to the latest version. For additional information, refer to our software update.
Release date: July 12, 2023 Version 5.1.0.2
Features
- Automated challenge-based DDoS protection in AWS - pushing protection into AWS infrastructure
Enhancements
- Support AWS IMDSv2 API for host metadata
- Support X-Forwarded-For source IP parsing for requests going to the black hole
- Use systemd for al-core service start/stop
Bug fixes
- Fix initialization error in certain ACL policy overrides
- Only add vhost alias for a domain to its "www." proxy if not already present for another website
- Improvements to PKCS12 certificate key encryption
- Solve conflict when CSRF protection (response rewriting) and dynamic HTTP response caching are both enabled
- URL decode software packaged filenames properly when looking for updates in S3 repos
- Normalize filenames in multipart file upload HTTP requests to prevent spurious decoding violations
- Ensure XXE parsing state is properly preserved in all cases to prevent spurious violations
- Ensure strictest source IP controls combination is selected when multiple Source Control Groups apply in L7 Source IP and Geolocation based controls
Release date: May 24, 2023 Version 5.1.0.1
Features
- Support managing RFC1918 addresses as a separate Source Class in L7 Source IP and Geolocation based controls
- Send additional audit log to Fortra log backend
Enhancements
- Update dependencies not already part of automatic updates
- Emit a "wsm-cert-monitor" log when certificates approach expiration dates
- Update Web Session Anomaly Detection sensitivity definitions
- Several improvements to CAPTCHA capability
- Redact sensitive values in the config object sent to the backend
Bug fixes
- Resolve an issue in UTF-8 detection in the WAF engine introduced in version 5.1.0.0 which could lead to a 500 Internal Server Error
- Support ACL path regexes with curly brackets
- Set correct permissions on some log files
- Improvements to error message to read-only users attempting disallowed actions
- Set correct violation for requests with an unspecified protocol
- Fix issue where caching of XML parse results can lead to subsequent similar XML payloads not being validated correctly
Release date: April 19, 2023 Version 5.1.0.0
Features
- Detection of anomalous HTTP sessions
- Bot and client automation management
- Generalized interface for managing client connection trust
- API Support - including OpenAPI specification import
Enhancements
- Improved decoupling of monitoring components
- Performance optimizations per request
- Redirects to centralized documentation
- Support giving an appliance a nickname
- Support unrestricted file uploads within an application
- Improve completeness of deny logs exported to S3
Bug fixes
- Fixed a slow memory leak in database lookups of private IPs
- Fixed a slow memory leak in core request handling code
- Allow header validation rules to be added/saved without a tag
- Use updated configuration commands for connection rate limiting
- Stop noting redirects issued by the WAF as violations
- Remove a stale config file if it is not in the current format
- Timeout vhost test request in the UI after one second
- Properly trim log details
For 2022, Alert Logic supports only WAF as an inline service. Thus, release notes under this section are only in reference to the inline versions of WAF.
Release date: November 18, 2022 Version 5.0.3.0 (only)
Features
- New deny log format for Alert Logic backend preserving multiple violations for single requests
- Expanded virtual patch capabilities
- Support dynamic export of non-anonymized data prior to recording anonymized logs
- Support pinning signature versions
- Support tagging custom signatures with a meaningful name
Enhancements
- Support case sensitivity overrides in ACLs
- Improve default settings for new websites and management interface
- Improve default SSH settings
- Recognize new JSON-based MIME types as JSON
- Increase sync message size limit
- Update certificates used during software updates
- Minor improvements to several existing general signatures
Bug fixes
- Handle text/plain parsing correctly in all cases
- Remove references to "trial version"
- Resolve issue with handling charsets of backend certificate DNs
- Resolve issue with captcha settings affecting some upgrades
- Ensure ACL order is always preserved when importing a configuration
- Require updated agent for backend communication
- Removed unneeded repository configurations
- Rotate the attack log appropriately
Release date: September 2, 2022 Version 4.6.2.1 (only)
Enhancements
-
Improve settings for default reference clock
Bug fixes
- Validate and enforce SSL CA order correctly
- Sync SSL client CA certificate properly on auto-scaling WAFs
- Persist system hostname after reboot
Release date: September 1, 2022 Version 5.0.2.1 (only)
Features
- Data anonymization: irreversible obfuscation of client input to move WSM log data out of scope of privacy requirements like GDPR, HIPAA, the UK Data Protection Act of 2018, and Australian Information Privacy Act 2009.
Enhancements
- Support TLS 1.3 automatically when communicating with backend servers
- Improve settings for default reference clock
Bug fixes
- Enforce all policies when brute force protection has no CAPTCHA selected
- Validate and enforce SSL CA order correctly
- Sync SSL client CA certificate properly on auto-scaling WAFs
Release date: August 4, 2022 Version 4.6.2.0 / 5.0.2.0
Features
- Detect brute force password guessing and credential stuffing and prevent by enforcing a CAPTCHA
- Switch to Oracle Linux 8
Enhancements
- Allow NICs without support for legacy settings
- Display NTP settings in the UI
- Improve validation of core settings on master before synchronization to workers
- Integrate with new edge actions API in support of Intelligent Response
- Use systemd consistently on WSM 5+
Bug fixes
- Allow file upload setting changes when using legacy signatures
- Improve repo settings for automated system updates
- Skip cookies when running signatures over HTTP headers
- Skip Cookie header when running signatures over HTTP headers as each individual cookie is validated separately
- Handle wide character issues during command line normalization
- Eliminate false positives in one alarm related to appliance monitoring
- Stop writing duplicate logs on autoscaling workers
- Validate 'null' payloads in JSON correctly
- Improve check for RE2 compatibility in signatures
Release date: April 12, 2022 Version 4.6.1.2 / 5.0.1.2
Enhancements
- Add support for Alert Logic Intelligent Response
- Standardize on dynamically-generated health response for all deployments
- Improve crypto-policy and encryption algorithm defaults
- Make cluster IDs configurable and persistent across changes to sync settings
- Decode %u encoding if allowed in the config
Bug fixes
- Ensure synchronization of DNS settings for auto-scaling WAFs
- Filter out possibly empty management interface configs
- Add further guards against an improper bootstrap in AWS
- Add a health check for a read-only filesystem
- Alarm on additional signals in the error log
- Make adaptive protect mode default to off
- Truncate large deny logs properly in all cases
- Remove unnecessary modules left over from upgrades from WSM 4
- Remove internal debug info from violations logged for invalid JSON
Release date: December 10, 2021 Version 4.6.1.0 / 5.0.1.1
Enhancements
- Separate %U decoding into multiple configuration options
- Allow selection of GeoIP address lookup order
- Display implied regex anchors whenever they will apply to header validation rules
Bug fixes
- Disable bootstrap user after an appliance is claimed
- Handle AWS S3 errors during bootstrap gracefully
- Allow ipset restore to add overlapping subnets
- Apply API-driven changes to website aliases automatically
Release date: November 15, 2021 Version 4.6.1.0 / 5.0.1.0
Features
- Improved XSS signatures
- Improved password management for API users
- Support SNI for health-checking https backends
Bug fixes
- Resolve issue in handling end-of-file during high-volume log transport
- Make several violation types more uniform in their presentation
- Resolve issue with logging identity of internal users
- Inspect file uploads only when the new signature model is enabled
Release date: October 15, 2021 Version 4.6.0.19 / 5.0.0.19
Features
-
FIPS mode for WSM 5
Bug fixes
- Allow PUT requests without a recognized Content-Type if bypass is enabled
- Correct SSL certificate permissions issue
- Word-break long hostnames in the deny log
- Gracefully handle certain SSL read errors in backend health checks
- Increase allowed duration of network time requests
Release date: October 4, 2021 Version 4.6.0.18-3249 (all inline platforms) / 5.0.0.18-648 (AWS AMI non-FIPS)
Features
- Attack signatures usage now includes advanced engine with header evaluation built in
- Improved time-keeping with multiple fallbacks
- Improved defaults (advanced signature engine; file upload inspection; emerging threat detection; and opt-in learning)
Bug fixes
- Trim learn stats more frequently
- Always regenerate core configs during migrations
- Remove outdated version check
- Perform additional database integrity checks
- Skip proxy syncs when no proxies are found
Release date: September 9, 2021 Version 4.6.0.17 (all platforms) / 5.0.0.17 (AWS AMI non-FIPS)
Bug fixes
-
Eliminate backtracking in the command line normalizer
Release date: August 25, 2021 Version 4.6.0.16 (all platforms) / 5.0.0.16 (AWS AMI non-FIPS)
Features
- Display IPs blocked as a result of setting a connection limit
- Extend the REST API to support fetching access logs
- Automate updates of system packages
Bug fixes
- Wrap the text of long Referer URLs in the UI
- Minor improvements to system log transport
- Anchor ACL path regex when finding matches
- Never enable default HTTP/HTTPS in created templates
- Correct UI regression in show original request view on WSM 4
Release date: August 3, 2021 Version 4.6.0.15 (all platforms) / 5.0.0.15 (AWS AMI non-FIPS)
Bug fixes
- Resolve high-availability cluster sync regression
- Allow read-only users to connect from the Alert Logic console
- Preserve transparent proxy settings when applying configurations
Release date: July 15, 2021 Version 4.6.0.14 (all platforms) / 5.0.0.14 (AWS AMI non-FIPS)
Bug fixes
- Re-initialize message queues upon restoring/importing system settings
- Allow sync daemon to health check via loopback
Release date: July 13, 2021 Version 4.6.0.13 (all platforms) / 5.0.0.13 (AWS AMI non-FIPS)
Features
- Show number of files associated with excess upload attempts
- Allow full search text search on 'info' deny log field
- Add HTTP/4848 health check to non-autoscaling deployments
- Support delegated credentials for automated response integration
Bug fixes
- Prevent significant CPU consumption during normalization of some requests
- Support non-compliant multipart form boundaries
- Sort the list of available backups
- Support larger deny logs
- Ensure AWS auto-scaling deployments have a default configuration
Release date: July 9, 2021 Version 4.6.0.12 (all platforms) / 5.0.0.12 (AWS AMI non-FIPS)
Features
- Integrate with incident API to support automated response
- Support migration of transparent proxy from WSM 4 to WSM 5
- Improve configuration sync on AWS auto-scaling deployments
- System log display rendering improvements
- Internal enhancements to log transport components
- Add include sub option to log filter violation filter
Bug fixes
- Correctly sort log events
- Sync website configs in an optimal order
- Adjust log rotation/retention configuration
- Remove irrelevant warnings
- Ensure all system configuration elements can be saved in UI
- Correctly match VLAN interface ID mapping
- Concatenate multi-line syslog messages
- Allow header/body filters to work on WSM 5
- Resolve precedence between GeoIP-blocked and blackholed requests
- On WSM 5, ensure log volume is preserved and mounted when master instance is replaced
- Prefer configured UUID over provisioning UUID for heartbeating
- Prevent auto-scaling worker instances from running wsm_bootstrap loop
- Restart framework after WSM update
- Regenerate core configuration after SSL certificate REST API update
- Allow "0" when validating an HTTP header
- Remove 240.0/8 loopback IPs from the UI
- Layer 7 blocking should ignore invalid IPs in XFF
- Re-open database handles after daemonization in one service
- Miscellaneous packaging improvements and system software updates
Release date: April 19, 2021 Version 5.0.0.11 (AWS AMI non-FIPS)
Features
- Improvements to CPU and RAM utilization
- Log transport agent updated to use newer log ingestion system
- Support provisioning in additional data centers
Bug fixes
- Allow UI to save policies with over 248 global parameters
- Support multi-line syslog messages and system logs in new log agent
- Ensure admin daemon restarts service dependencies robustly
Other changes
-
Remove AWS autoclaim agent
No 4.6.0.10 release exists.
Release date: March 18, 2021 Version 5.0.0.10 (AWS AMI non-FIPS)
Features
-
Support DHCP assignments with /32 netmask
Other changes
-
Update jQuery
No 4.6.0.9 release exists.
Release date: March 8, 2021 Version 5.0.0.9 (AWS AMI non-FIPS)
Features
- Support JSON lines format for S3 deny log export
- Enhance deny log to include string that triggers double encoding violation
Bug fixes
- Resolve issue where daemons were not restarting when certain config changes were committed
- Resolve issue uploading PEM certificates with separate chains and with uploading PKCS#12 certs/keys
- Resolve issue affecting ACL policy manipulation
- Suppress errors from update tools when deployment-specific repo bundles are not in use
5.0.0.8 was not released for Managed WAF.
No 4.6.0.8 release exists.
Release date: February 9, 2021 Version 4.6.0.7 (all platforms) / 5.0.0.7 (AWS AMI non-FIPS)
Features
-
Extend virtual patch support to include Base64 decoding support
Bug fixes
- Resolve rare issue with host/role in config generation
- Resolve issue with configs where both session persistence (cookie, source IP, etc.) and real server failover was enabled at the same time
- Fix internal get_worker_status ops tool
- Resolve issue with FIPS mode detection on non-FIPS kernels
No 4.6.0.6, 5.0.0.5, or 5.0.0.6 releases exist.
Release date: January 29, 2021 Version 4.6.0.5 (all platforms) / 5.0.0.4 (AWS AMI non-FIPS)
Changes
-
Update sudo
Release date: January 27, 2021 Version 5.0.0.3 (AWS AMI non-FIPS)
Features
- Support for TLS 1.3
- Support for HTTP/2
- Support for proxying Web Sockets
- Support for proxying gRPC
Release date: January 19, 2021 Version 4.6.0.4
Features
- Extended support for virtual patches
- New virtual patches with coverage related to SolarWinds compromise
Bug fixes
- Improved validation of SSL certificate uploads
- Improved handling of certificate revocation lists
Release date: November 3, 2020 Version 4.6.0.3
Bug fixes
- Resolve permissions issue and timing issues in AWS master config sync
- Resolve country code discrepancy issue in the deny log
- Resolve country code discrepancy issue in the deny log
- Improve handling of formats for upstream response time value
- Reformat deny log to be parseable in search again
- Upgrade onboard database software (SQLite)
- Minor internal fixes in support of future enhancements
Release date: October 8, 2020 Version 4.6.0.2
Bug fixes
- On upgrade, handle ACL paths with regex meta characters correctly
Release date: September 9, 2020 Version 4.6.0.1
Bug fixes
- On upgrade, migrate to more configurable HTTP method inspection correctly
- Discover recent changes to health-check configuration correctly
Release date: August 31, 2020 Version 4.6.0.0
Features
- Support exporting deny logs to an S3 bucket
- Support syslog over TLS
- Support vpatches for emerging threats
- Send additional details to Log Manager regarding generic protocol violations
- Improve handling of XML
- Improve configurability of body permissions and actions across methods
- Minor signature improvement
- Numerous performance and portability improvements to WSM internals
Bug fixes
- Interpret and synchronize extended syslog config correctly
- Check multiple virtual patches matching a path
- Fix issue with WSM dashboard not displaying through the AL console
- Allow OPTIONS method when no application path config is present
- Support separate default vhosts for both HTTP and HTTPS
- Send certificate metadata to backend in all cases
- Avoid double-escaping regex application paths during upgrades and imports
Release date: May 5, 2020 Version 4.5.9.1
Bug fixes
- Improved utf8 handling
- Resolved an issue with displaying HTML5 graphs in the console
- Improved mqueue allocation during an upgrade
Release date: April 7, 2020 Version 4.5.9.0
Features
- Alert Logic now supports new collections of virtual patches (highly-targeted security content for specific vulnerabilities)
- Replaced Flash-based UI graphs with HTML5 charts
- Improved multibyte support
- Allowed GET requests to have a body
- Treated expected redirects of HTTP to SSL as non-violating
- Minimized UI presentation of sequentially-duplicated system logs
- Supported custom log fields in extended enhanced alert log
- Used ISO date format for audit logs
- Allowed quoted multipart boundaries
- Supported SameSite cookies
- Supported customizable 307/308 redirects
- Supported negation of deny log filter expressions
- Supported optional silencing of GeoIP access violations
- Expanded character set in the default URL class definition
- Added cipher and TLS version as options for custom access log format
- Covered additional SQLi conditions with improved security content
Bug fixes
- Properly decoded HTML entities when dealing with customer-defined web ACLs
- Validated SSL PEM certificates on upload regardless of the "Validate certificate chain" option
- Corrected an issue with updating CRL lists
- Properly matched regex-based ACLs when adding to them from the deny log view
- Updated text in "Add from deny log" functionality
- Updated OpenSSH
- Updated console URLs in login page
- Removed source IPs which have been removed from the teacher node's blacklist
- Improved X-Forwarded-For parsing
- Made SSL certificate generation default to 2048 bit keys
- Used default HTTPS proxy settings correctly
- New web ACLs now inherit allowed HTTP method settings
- Improved logging for the health check daemon
- Improved automated detection of XML content
Release date: November 21, 2019 Version 4.5.8.0
Features
- Use regular expressions in web application paths (Note: existing paths will be converted to regexes automatically)
- Improve handling of UTF-8 encoding in policy values
- Add file extension validation framework
- Prioritize GeoIP lookups by represented country, registered country, and RIR assignment country order (Note: This product includes GeoLite2 data created by MaxMind).
- Add trusted proxy support for black hole
- Offer extended alert log format
- Support ECDSA keys for TLS proxies (mutually exclusive with RSA)
- Release package updates for base OS security
- Block TRACE method on Management UI
Bug fixes
- Fix response body rewriting consistency when learning engine is enabled
- Fix issue where health check daemon could miss config change notifications
Release date: September 26, 2019 Version 4.5.7.0-2249
Features
- Support sending SNI to upstream servers
- Support future hotfix deployments independent of upgrades
- UI to multi-select country codes
- UI to copy deny log details to clipboard
- UI warning when enabling proxy protocol
- Disable legacy SSH algorithms
- Deterministic package installation order for new physical/virtual deployments
- API for managing redirects and aliases
- Generate warnings when auto-scaling worker sync is blocked
- Improvements to deny log parser error handling
- Protocol violations should not log entire payload
- Reduce false positives on XPATH signatures
- Skip [ TRUNCATED ] suffix when adding parameters from log
- Remove low-confidence XPATH signatures
Bug fixes
- Replace message queue implementation for deny logs, learning data, and response inspection
- Always validate request headers using general rules in addition to header-specific validation
- Allow ACL definitions to be agnostic about trailing slashes
- Match newlines when masking deny log input
- Make signature package updates visible in UI
- Improve access log routing for auto-scaling deployments with more than ten proxies
- Use correct package name when updating signatures on autoscaling worker instances
Release date: June 13, 2019 Version 4.5.6.3-2084
Features
Switched to a new GeoIP2 database format for more accurate geolocation data. This product includes GeoLite2 data created by MaxMind.
Release date: May 7, 2019 Version 4.5.6.2-2030
Features
Reduced false positives in OS Commanding signatures.
Bug fixes
Preserved policy routes when upgrading.
Release date: April 9, 2019 Version 4.5.6.1-1976
Features
- Allow single-quoted strings in JSON parser
- RPC audit logging overhaul
- Expose an option to disable Alert Logic Managed Web Application Firewall (WAF) default inspection scope
- Return signature info in response headers in signature test mode
- Detect evasion attempts using request body header tricks
- Replace ntpd
- Reduce false positives
- Change authentication mechanism for repository access
- Content validation data collection framework
- Allow malformed UTF-8 encodings in JSON payloads
- Further improvements to TLS key handling
Bug fixes
- Persist policy routing priorities
- Web App IDS deny log notes correct action on requests to unknown hosts
- Prevent errors from terminating syncd
- Prevent proxy error log duplication
- Allow overlapping system gateway to match a whitelist
Signature changes
- Package renamed to accommodate breaking changes
- Removed RFI to reduce false positives
- Improved general coverage
- Improved SQLI coverage
Release date: December 14, 2018 Version 4.5.6.0-1839
Features
- Add Joomla PHP injection signature to header validation
- Add underlying support for nvme1n1 for new instance types
- Allow access logging of calculated remote IP
- Allow more granular control of email notifications
- Improve TLS key handling
- Install operations tool by default
- Relax JSON parser to allow scalar string data
- Release new kernel
- Require latest DNS SQLi signature
- Support TLDs up to 32 characters long
- Support configurable DTD validation when parsing XML payloads
- Turn on filename validation by default
- Update several common software packages
Bug fixes
- Align utf8 usage in WAF core and the Alert Logic console
- Allow the trusted proxy setting to be reset to undefined
- Fix WAF display for read-only users in the Alert Logic console
- Fix bug in reading attribution signatures
- Rotate deny log database more gracefully
- HUP syslogng after rotating access log
- Improve header validation / RFC enforcement options
- Send HSTS headers on WAF error pages
- Suppress sensitive metadata in log
Signature changes
- DNS exfiltration
- Date field for classification signatures
- Improved OSC / removed OSC_TRAIL_PIPE
- Improved PHP INJ signature
- New OSC and SQLI signatures
Release date: August 14, 2018 Version 4.5.5.1-1683
Features
Improved OS commanding detection
Bug fixes
Proxy would improperly block certain OS commanding violations with HTTP 500 errors regardless of policy setting
Release date: August 7, 2018 Version 4.5.5.0-1668
Features
- Clean up orphaned package management transaction files
- Improve deny log rotation performance
- Reduce alarm flapping
- Log the offending part of abnormally large payloads
- Watchdog enhancements
- Enable "Accept underscore characters in request headers" by default
- Allow certain alarm conditions to automatically clear when the alarm condition is no longer present
- Normalize and de-duplicate virtual host aliases to lowercase
- Allow optional port numbers in X-Forwarded-For header parsing
- Add configurable back-off period for auto-clearing alarms
- Improved OS Commanding detection
- Updated signature content
- Add Drupal signature as a custom signature to new proxies
- AWS Enhanced Networking Adapter foundational support, pending AMI release
- Improve cluster synchronization resilience to network errors
Bug fixes
- Passive WAF logged proxy IP instead of trusted X-Forwarded-For IP in some circumstances
- Error saving intermediate certificate when "Validate certificate chain" is enabled
- Strip request headers entirely when required by policy, rather than only removing the value
- Deny log processing could stall on Passive WAF
- Passive WAF feature can be fully enabled without requiring sensor reboot
Release date: June 7, 2018 Version 4.5.4.3-1586
Features
Add support for AWS S3 bucket server-side KMS encryption
Release date: May 8, 2018 Version 4.5.4.2-1545
Features
Improved audit logging
Bug fixes
Fix a rare memory leak
Release date: April 9, 2018 Version 4.5.4.1-1501
Bug fixes
- Fixed issue displaying deny logs with malformed utf8 data
- Resolve UI error related to IP sharding feature
- Fixed grouping by country in the deny log dashboard
- Stop logging at 10% free space left on Passive WAF
- Read the correct core error log on auto-scaling masters
Release date: March 6, 2018 Version 4.5.4.0-1461
Features
- Support inline WAF on Google Compute Engine
- Updated kernel
- Replaced string search algorithm
- Relaxed threshold for waf-core-cpu alarm
Bug fixes
- Prevent autoscaling master instances from syncing backup to S3 when unhealthy
- Restored "Insert" option on response header rewrite rules when using more than 4 entries
- Fixed L7 blacklist syncing for CIDR ranges
- Restored missing fields in deny log in edge case
Release date: January 30, 2018 Version 4.5.3.4-1418
Bug fixes
- Resolve an issue which could prevent certain global system settings from syncing to autoscaling workers and HA learners
- Resolve a slow memory leak in the proxy core
Release date: January 4, 2018 Version 4.5.3.3-1395
Bug fixes
Restore allowed HTTP method types in policy ACLs correctly when restoring backups or replacing autoscaling master instances
Release date: November 14, 2017 Version 4.5.3.2-1320
Features
- Activate JSON parser for a wider content-type range
- Enable response inspection by default on Passive WSM
- Support tilde and percent in external redirects
- Parse cookies more strictly
- Configure AWS auto-scaling master as undisciplined clock
Bug fixes
- Resolve a circumstance which caused DHCP to be enabled improperly on new sensors
- Don't log the RAW body twice on Passive WSM
- Allow large file uploads when Content-Length is set
- Resolve UI error when deleting phantom static routes
- Resolve minor issues in SSL client auth handling
Release date: August 2017 Version 4.5.3.1-1204
Bug fixes
Fix a regression that broke new routing proxy deployments
Release date: July 17, 2017 Version 4.5.3.0
Bug fixes
- Improved response inspection/analysis statistics to eliminate sources of inaccurate criticality scoring.
- Resolved an issue with multi-node configuration sync that could interrupt cluster sync operations.
- Resolved an issue preventing blacklist not syncing from master to learner nodes in some scenarios.
- Addressed an issue related to high CPU consumption when running scans against WSM in some customer environments.
Features
- Added API calls to import and export site policy templates via WSM management API.
- Added an option to close connection on 502 errors.
- Improved network performance in customer environments with high rates of requests and concurrent requests.
Security
- Resolved nginx range filter potential leakage/denial of service vulnerability (CVE-2017-7529).
Changes
- Management UI now requires TLS 1.2+.
Notice
None
Release date: April 12, 2017 Version 4.5.2.4
Bug fixes
- Addressed an issue introduced in 4.5.2.1 release causing unexpected proxy update/delete behavior.
Security
- Removed potential for theoretical XSS within a specific dialog.
Release date: March 13, 2017 Version 4.5.2.2
Bug fixes
- Improved log rotation/log storage database to reduce contention and improve log rotation process.
- Resolved a rare issue with CPUs without AVX support.
Features
- Added Apache Struts (CVE-2017-5638) header validation rule and included in default template.
- Added option to globally enable proxy protocol for all listen IPs
Changes
- Changed WSM “Import Proxy Template” API call to match documentation.
Release date: February 21, 2017 Version 4.5.2.1
Bug fixes
- Resolved an issue related to falsely indicating versions within a cluster.
- Addressed a small number of scenarios where license keys incorrectly report that they are invalid.
- Addressed scenarios where the appliance watchdog service may inadvertently not be running.
- Resolved several minor typos in the user interface.
- Resolved an issue where changed cluster passwords were not replicated through the entire system.
Features
Added per-site policy GeoIP-based blacklisting/whitelisting functionality.
Security
Added internal last modified date for CRUD operations on websites, to be relayed to Alert Logic’s backend.
Changes
- User interface will now prevent a proxy creation that overlaps on IP:port between another proxy/protocol.
- Increased internal daemons dealing with syslog messages now have higher free disk thresholds, consistent with alarms.
Release date: February 7, 2017 Version 4.5.2.0
Bug fixes
- Resolved an issue where stats database could end up with improper permissions.
- Resolved potential slow memory leaks with stats collector.
- Improved watchdog recovery of logging agent.
Features
Completed support for new AWS regions that require both HVM and v4 signatures.
Changes
Introduced dependency on new health monitoring agent.
Release date: January 19, 2017 Version 4.5.1.2
Bug fixes
- Improved logging related to blocking/blacklisting IPs, both removing excess errors and ensuring details are properly logged.
- Ensure blocking configuration files are properly written during AWS master re-spins.
- Resolved issue with block timeouts falling back to default rather than using configured timeout.
- Resolved an issue with adding overlapping ranges to blacklists that resulted in some IPs not blacklisted.
Features
Extended maximum header size limitation to optionally allow headers up to 32k.
Release date
December 15, 2016 (4.5.1.1)
Bug fixes
- Updated response inspection to pick up configuration changes when website configurations are changed.
- Improved handling of learn candidate failures to prevent unexpected deny logs from being created from learn candidates.
- Resolved an issue with System>Tools>Website Configuration preventing expected configuration content from being returned.
- Addressed an issue that may result in unexpected mismatched version alarms within a cluster.
Features
N/A
Security
Provided an updated kernel to address potential security vulnerabilities (including dirtyc0w).
Changes
- Updated several minor issues in the REST API and added a new API call to get IP addresses.
- Updated invalid hostname violation to enforce SSL hostname restrictions.
- Provided an affordance for single quotes present in file paths to be allowed by modifying the allowable files regular expression.
Notice
N/A
Release date
October 27, 2016 (4.5.1.0)
Bug fixes
- This release removes the unexpected need for initial configuration save and restart of the WSM appliance UI at provisioning time.
- This release resolves an issue where backend server violations did not always log headers.
- This release resolves an issue where layer 7 blocking did not always work following autoscaling instance respins.
- This release removes superfluous error generation when syncing routing proxy configs.
- This release improves resilience of deny log transport in certain edge cases.
- This release improves storage of datacenter affiliation configuration.
- This release adds functionality to always include response parameters (even if values are empty) in deny logs to ensure logs are properly parsed.
- This release improves Denial of Service mitigation setting configuration to ensure settings are saved and operate as expected.
- This release addresses an issue related to response inspection learning that can lead to increased CPU consumption.
- This release improves handling of iptables configuration to ensure appliance specific changes are not overwritten for both WSM Premier and WSM (Out of Band).
- This release resolves a scenario where the ACL cache can be cleared during the autoscaling instance boot process.
- This release improves payment card masking to reduce false positives in deny log masking.
Features
N/A
Security
This release updates HTTP SSL settings to lock down insecure ciphers and SSL/TLS for WSM (Out of Band).
Changes
- WSM Appliance API users can now be created via UI, CFT, and during appliance provisioning.
- WSM Appliance API users will now be indicated in the appliance UI.
- IP Addresses extracted from X-Forwarded-For headers will now be the leftmost non-private IP.
- Deny log rotation is now limited to preserving 100k records, which will be rotated more frequently.
- Improvements to several WSM appliance alarms facilitate better monitoring and troubleshooting by Alert Logic operations teams.
- Updated WSM appliance SQlite instance for improved stability and reliability.
Notice
N/A
Release date
September 19, 2016 (4.5.0.2)
Bug fixes
- This release resolves an issue where Content-Type was not being matched case-insensitively.
- This release improves handling of chunked multipart/form-data.
- This release prevents multiple instances of internal services from running on the appliance.
- This release resolves two minor syslog daemon configuration issues.
- This release resolves an issue where invalid learn chunks could cause startup failures without manual intervention.
Features
N/A
Security
This release updates the embedded agent which now includes additional TLS1.2 support for Alert Logic services.
Changes
N/A
Notice
N/A
Release date
August 11, 2016 (4.5.0.0)
Bug fixes
- This release ensures syslog daemon was restarted properly after upgrade.
- This release resolves an issue with single tuned site configurations not properly transmitting log activity.
- This release resolves an issues with configuration files potentially being overwritten during an upgrade.
- This release resolves an issue during boot where AWS environments were not properly recognized.
- This release resolves an issue with duplicate fwmark rules being created in transparent proxy deployments.
Features
- This release adds capabilities to capture and analyze full server responses, providing the response and potential indicators of compromise within the UI and deny logs.
- This release improves support for Azure WSM deployments, including adjustments to SSH ClientAliveInterval and the WSM configuration UI.
Security
This release resolves CVE-2016-4450 (a potential DoS condition in nginx).
Changes
This release removes VLAN submenu from WSM UI in deployments where it’s not used.
Notice
- N/A
Release date
June 16, 2016 (4.4.3.0)
Bug fixes
- This release resolves an issue with unnecessary services running on auto-scaling workers.
- This release resolves an issue with connectivity to s3 during updates.
- This release resolves several minor issues that could generate unexpected log output.
- This release resolves several issues with the internal watchdog to improve resilience.
- This release resolves an issue where SSL certificate chain expiration dates could appear incorrectly or be out of sync across components.
- This release resolves an issue related to certain scans causing unexpected appliance behavior.
- This release resolves an issue where certain scheduled tasks would not run in configured timezones.
- This release resolves an issue where cluster IP alias limits were not functioning as expected in configuration UI.
- This release resolves an issue with custom access log formats not behaving as expected.
Features
- N/A
Security
- This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108 and CVE-2016-2107).
Changes
- This release further restricts remote login access via SSH to internal and Alert Logic networks.
Notice
- N/A
Release date
April 21, 2016 (4.4.2.0)
Bug fixes
- This release resolves an issue causing proxy stats database to grow excessively large in size.
- This release resolves an issue with a dependent service failing to auto-upgrade during provisioning.
- This release resolves an issue with missing configuration settings not being restored during re-spin in AWS auto-scaling deployments.
- This release resolves an issue with WSM agent service consuming resources on AWS auto-scaling workers.
- This release resolves an issue with the management of multiple instances of dependent services.
- This release resolves an issue with the bootstrap process when services are not immediately ready.
- This release resolves an issue with AWS auto-scaling workers performing unnecessary S3 config backups.
- This release resolves an issue related to layer 7 blocking, including a problem with timeout enforcement.
Features
- This release adds several improvements relating to web security content, including additional details in the deny log when content is triggered.
- This release adds support for monitoring RESTful API methods and zero-length requests that normally have a request body.
- This release adds several improvements to aid in troubleshooting of WSM appliances, while improving monitored checks.
Security
- N/A
Changes
- This release changes worker CPU usage calculation to use standard deviation instead of min/max.
- This release changes backend health check configuration to reject semicolons in path.
Notice
- N/A
Release date
March 3, 2016 (4.4.1.0)
Bug fixes
- This release resolves an issue where WSM user guides/help links may not have been accurate to the WSM version deployed.
- This release resolves issues with several scenarios that could cause unexpected responses to carefully crafted requests.
- This release resolves an issue causing failures importing PKCS12 certificates.
- This release resolves an issue with static routes when using interface-specific gateways.
- This release resolves an issue where temporary files remained after working with SSL cache.
- This release resolves an issue where bypassing an unknown method (e.g. WebDAV LOCK) where parameters/cookies were present was not possible.
- This release resolves an issue deploying customer-specific hotfixes to AWS auto-scaling deployments.
- This release resolves an issue displaying deny log when Unicode encoded characters were present in an entry.
Features
- This release adds support for worker access logs to be aggregated on master (similar to deny logs).
Security
- This release updates glibc and openssl to address recent upstream security announcements.
Changes
- This release extends enforcement of SSH access, eliminating remote access from the “operator” user.
Notice
- N/A
Release date
July 7, 2016 (3.2.38)
Bug fixes
N/A
Features
N/A
Security
- This release updates openssl library to address recent openssl vulnerabilities (including CVE-2016-2108, CVE-2016-2107).
Changes
- This release further restricts remote login access via SSH to internal and Alert Logic networks.
- This release enables masking of sensitive payment card information in log data by default.
Notice
N/A