Вы находитесь на странице: 1из 29
AppWall Release Notes Version 7.5.5 October 03, 2017

AppWall

Release Notes

Version 7.5.5 October 03, 2017

TABLE OF CONTENTS CONTENT 3 SUPPORTED PLATFORMS AND MODULES 3 UPGRADE PATH 3 U PGRADE

TABLE OF CONTENTS

CONTENT

3

SUPPORTED PLATFORMS AND MODULES

3

UPGRADE PATH

3

UPGRADE PROCEDURE

3

PRODUCT MODIFICATIONS

4

APPWALL VERSION 7.5.1

4

APPWALL VERSION 7.3.4

4

APPWALL VERSION 7.3.2

4

APPWALL VERSION 7.1.1

4

APPWALL VERSION 6.6.1

4

APPWALL VERSION 6.4.1

4

APPWALL VERSION 6.2.1

4

WHAT’S NEW

5

APPWALL VERSION 7.5.2

5

APPWALL VERSION 7.3.2

5

APPWALL VERSION 7.1.1

5

APPWALL VERSION 6.6.1

5

APPWALL VERSION 6.5.1

5

APPWALL VERSION 6.4.1

6

APPWALL VERSION 6.2.2

6

APPWALL VERSION 6.2.1

6

RELATED DOCUMENTATION

8

FIXED BUGS

9

KNOWN LIMITATIONS

27

Content Radware announces the release of AppWall version 7.5.5. These release notes describe known product

Content

Radware announces the release of AppWall version 7.5.5. These release notes describe known product offerings and known limitations in the version.

Supported Platforms and Modules

This version is supported by the following platforms:

Platform

Notes and Exceptions

On Demand Switch VL

 

VMware ESX/ESXi 5.0, 5.1, 5.5 & 6.0

 

For more information on platform specifications, refer to the AppWall Installation and Maintenance Guide.

Upgrade Path

You can upgrade to this version from AppWall versions 5.7.2 and higher.

For AppWall VA only, starting from version 5.5.1, there is no upgrade path from AppWall VA (32bit) to AppWall VA (64 bit).

Upgrade Procedure

General upgrade instructions are found in the AppWall Installation and Maintenance Guide.

Product Modifications AppWall Version 7.5.1  A new Form Field and URL Protection feature license

Product Modifications

AppWall Version 7.5.1

A new Form Field and URL Protection feature license is added for form field and URL protection as part of the Session security filter. Without this license, the Session filter only protects cookies. Since this feature is rarely used, the introduction of this license simplifies the operation and management of AppWall. When upgrading and existing AppWall from older versions, this functionality will be functional without the need for a new license.

AppWall Version 7.3.4

Because of its very limited use, the internal web crawler was removed from AppWall. You can no longer define crawling jobs for the purpose of Auto Policy Generation.

AppWall Version 7.3.2

The Allow List security filter no longer treats HEAD requests as GET requests. This affects refinements of GET requests that no longer allow HEAD requests to pass.

AppWall Version 7.1.1

Kerberos S4U2Self tickets are now cached

Database and Vulnerability security filters now support patch mode

SSL protocol violation events now provide more detailed information

AppWall Version 6.6.1

Perfect Forward Secrecy (PFS) is now available using DiffieHellman Ephemeral (DHE) and Elliptic Curve DiffieHellman (ECDH) for HTTPs Tunnels.

APSolute Vision configuration now supports multiple APSolute Vision servers.

AppWall Version 6.4.1

OpenSSL version was updated to version 1.0.1p.

IP Blocking module was updated to support device fingerprinting blocking and was renamed Source Blocking module.

AppWall Version 6.2.1

OpenSSL version was updated to 1.0.1m.

What’s New This version includes the following new capabilities: AppWall Version 7.5.2  A new

What’s New

This version includes the following new capabilities:

AppWall Version 7.5.2

A new Low and Slow attack mitigation capability is introduced. AppWall behavioral Low and Slow attack detection is based on HTTP timeouts and HTTP request throughput for a much more efficient mitigation. New Low and Slow protection settings are done at the tunnel level.

AppWall Version 7.3.2

Ability to group hosts under a single security policy.

Improved AppWall cluster management in multiple datacenters:

o

AppWall allows setting different protected entities address to different nodes in a cluster.

o

AppWall allows setting different APSolute Vision servers to different nodes in a cluster.

AppWall Version 7.1.1

HPE WebInspect DAST integration support:

o

AppWall imports HPE’s WebInspect vulnerability report and update the security policy accordingly.

o

AppWall initiates HPE’s WebInspect scan on new or changed resources

AppWall Version 6.6.1

Improvements to Authentication Gateway:

o

AppWall’s SSO capabilities support authenticating the user with the protected web server using Kerberos Constrained Delegation (KCD), NTLM, Basic Authentication and Digest Authentication.

o

AppWall’s Form-Based Authentication supports two-factor authentication.

Improvements to HTTPs Tunnel chippers suites:

o Added support for Perfect Forward Secrecy (PFS) using DiffieHellman Ephemeral (DHE) and Elliptic Curve DiffieHellman (ECDH).

AppWall Version 6.5.1

1. Improvements to Forensics view:

a. Added Go-To-Policy option from the Forensics view. From the security logs, the user can

a. Added Go-To-Policy option from the Forensics view. From the security logs, the user can go to the relevant security module in the security policy view.

b. Added grouping of security events based on source IP and/or attack type.

2. Improvements to RESTful API added support for new flows such as:

a. Cluster management

b. Service management

c. Tunnel configuration export

d. Network management: Routing, LAG, VLANs

e. Users provisioning.

AppWall Version 6.4.1

1. Activity Tracking Improvements:

o

Added support for IP groups whitelisting. Whitelisting an IP group causes AppWall not to track it even in fingerprint mode.

o

Added support for refinement of device fingerprinting to the whitelist.

o

Various other technical improvements.

2. Device Fingerprinting Outside the Activity Tracking Module When device fingerprinting is enabled, devices are identified via fingerprint in modules outside of the Activity Tracking module. This causes forensic events with the fingerprint hash and Source/IP blocking module to work based on the device fingerprint and not IP address.

3. TLS1.2 support in monitor mode AppWall Out-of-Path mode supports TLS1.2 traffic.

4. RESTful API AppWall supports RESTful API allowing configuring AppWall programmatically of common flows.

5. APSolute Vision Integration AppWall has initial support for integration with the APSolute Vision management system for common flows.

AppWall Version 6.2.2

1. Regular Expression Support in Vulnerabilities Security Filter While regular expressions are widely used in AppWall for inspecting various HTTP message elements, including parameter values and paths, HTTP headers were not scanned with regular expression. This version adds support for regular expressions in vulnerabilities custom patterns and signature files. Along with this functionality, a new regular expression- based rule to block MS15-034 / CVE-2015-1635 was added.

AppWall Version 6.2.1

1. Activity Tracking Early Availability Functionality: Bot activity and attacks targeting Web applications are a complex threat for many site operators. While simple script- based bots are not much of a challenge to detect and block, advanced bots dramatically complicate the mitigation process using techniques such as mimicking user behavior,

process using techniques such as mimicking user behavior, Release Notes: AppWall version 7.5.5, October 03, 2017
using dynamic IP addresses, operating behind anonymous proxies and CDNs, etc. The various bots aim

using dynamic IP addresses, operating behind anonymous proxies and CDNs, etc. The various bots aim to achieve different goals, where the most common ones are web scraping, Web application DDoS and clickjacking. In this version AppWall introduces a new Activity Tracking Module which deals with these bot-generated threats. AppWall’s Activity Tracking mechanism can be set to one of two operational modes:

o

Anti-DDoS

o

Anti-Scraping

Application DDoS does not necessarily target specific resources (though it may sometimes be the case). Configuring AppWall to the Anti-DDoS mode tracks the activity of the users at the domain level. If applied at the <Any Host> level, activity will be globally tracked (domain agnostic). Scraping, however, is data-focused and usually targets specific Web pages where relevant information can be extracted. In the Anti-Scraping mode, tracking is narrowed

to the configured URI(s). The Activity Tracking module counts the HTTP transaction rate to the defined application scope (domain/page) per user per second. Once reaching the threshold, a security page is returned instead of the requested resource. The Activity Tracking module can be set to one of two tracking modes:

o

IP-based tracking (available both in Passive and Active modes) is not intrusive.

o

Device Fingerprint-based tracking (available only in Active mode) is intrusive.

While IP-based tracking offers the value of non-intrusive activity tracking and detection capabilities, device fingerprint-based tracking offers IP-agnostic source tracking. AppWall can detect bots operating in a dynamic IP environment and activity behind an sNAT (source NAT), such as an enterprise network or proxy. Even if the bot dynamically changes its source IP address, its device fingerprint does not change. AppWall tracks the

device activity and correlates the source security violations across different sessions over time. Device fingerprint technology employs various tools and methodologies to gather IP- agnostic information about the source, including running JavaScript on the client side. Once the JavaScript is processed, an AJAX request is generated from the client side to AppWall with the fingerprint information. When Activity Tracking is set to IP-based tracking, it can be correlated with the IP blocking module. Once a source IP reaches a configured threshold, the source IP is blocked (either Layer 3 or Layer7). To avoid scenarios where AppWall mistakenly detects search engine bots (for example, Google or Yahoo) as malicious bots, there is a mechanisms in AppWall that detects and verifies legitimate search engine bots by running a reverse-DNS lookup process to verify their source and to excluded them from the list of tracked sources.

2. Link Aggregation Support: Link Aggregation is a method for aggregating multiple network interfaces in parallel in order to increase throughput beyond what a single NIC can sustain, and to provide redundancy in case one of the links should fail. AppWall Link

Aggregation implementation is based on a Linux bonding. AppWall Link Aggregation is configured in the

Aggregation implementation is based on a Linux bonding. AppWall Link Aggregation is configured in the AppWall Management Application Web interface.

3.

OS X Support: The AppWall Management Application can now run on OS X. Supported browsers are Safari and Firefox. Chrome is not supported (due to Java FX compatibility issues with Chrome on OS X).

4.

Range Header Removal: AppWall now supports disabling HTTP Range header. Once this http parsing property checked, the Range header is removed from the HTTP request. CVE-2015-1635 (MS15-034) can be addressed by disabling the Range header.

5.

Management Application Timeout: AppWall now has a default timeout of 60 minutes for its management application connectivity to the AppWall server.

6.

Internally Hosted Security Page: When configuring the security page of a host within a Web application, you can define a locally-hosted security page. This is in addition to the option of referring to a security page hosted on the secured Web server.

7.

Tech Support File: AppWall now supports generating a tech support file. Several levels of detail can be selected to derive the size of the tech support file. When submitting a support case, the tech support file contains important information for analysis, recreation and root cause analysis (RCA).

Related Documentation

The following documentation is related to this version:

AppWall Installation and Maintenance Guide

AppWall User Guide

APSolute Vision User Guide

For the latest Radware product documentation, download it from http://www.radware.com/Customer/Portal/default.asp.

Fixed Bugs The following is a list of bugs fixed in AppWall version 7.5.5: Item

Fixed Bugs

The following is a list of bugs fixed in AppWall version 7.5.5:

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Memory leak in Activity Tracking module was fixed

DE27548

2.

When an HTTP parsing failure occurred, a wrong security event message appears

DE24622

3.

Under certain condition, the options “Support Base 64 Data” and “Support XML Data” within the database filter become disabled although they have been enabled

DE23364

4.

HTTP parser block requests with double slash in URL without any security event

DE25505

5.

When changing the Cluster Manager’s management IP address, policies sync between the nodes and the Cluster Manager failed

DE24408

6.

AppWall disk partition become full due to an unmanaged log file

DE25918

7.

Different AppWall instances running on Alteon platform send logs to Vision with different hostnames but with the same management IP address.

DE28056

8.

Failure in the AppWall Management Application occurred after creating a complex RegEX in the security policies settings

DE28086

9.

Hostname field is truncate in the logs sent to Vision

DE28456

10.

Under certain condition, AppWall send messages to Vision with a wrong destination IP address in the message

DE28650

11.

Under certain condition, the Tunnel name is not properly imported during an import process

DE28721

The following is a list of bugs fixed in AppWall version 7.5.2: Item Description Bug

The following is a list of bugs fixed in AppWall version 7.5.2:

Item

Description

Bug Number

 

AppWall Gateway

 

1.

When AppWall is in Monitor mode, the Security Event in Forensics present

DE12173

a

wrong Source Port than in pcap.

2.

Error in the AppWall Management Application when a rule in the Database filter is added.

DE18775

3.

Security logs for HTTP Parsing violation does not show the Host name value.

DE20023

4.

Security logs for header size exceeding the limit does not show the correct cookie header value.

DE22565

5.

AppWall responds to ARP calls with wrong MAC address.

DE22978

6.

After an upgrade from 5.8.10 to 7.3.3, memory usage increases from 65% to 80% after several days because of a memory leak.

DE23877

DE27889

7.

In Monitor mode, in the tunnel configuration, the field “Device in Use” presents wrong information.

DE23966

8.

AppWall does not block a double encoded attack.

DE24389

9.

The Description field in the security logs sent to the Vision Server does not contain all the expected information.

DE24534

10.

Adding two refinements for the same URI with different character case causes an AppWall failure.

DE24880

11.

A

failure on the HTTP Parse service occurs after sending a huge amount of

DE25161

traffic just after applying the configuration.

12.

In AppWall Monitor, under certain conditions, HTTPS traffic causes an AppWall failure.

DE25174

DE27352

 

DE7475

13.

An error message appears in a pop-up when configuring Vision.

DE25778

14.

In Cluster mode, under certain conditions, synchronization issues occur.

DE6805

15.

Under certain conditions (high throughput, specific HTTP requests…) AppWall failed to process the traffic.

DE25277

DE25278

 

DE25606

16.

The “Event type” field sent to Vision Server is wrong.

DE25445

17.

When the AppWall Activity Tracking module is set to Fingerprint mode and Source Blocking is enabled, the IP sources are not blocked by the Source

DE25541

Item Description Bug Number   Blocking module. Attacks are still blocked by Activity Tracking and

Item

Description

Bug Number

 

Blocking module. Attacks are still blocked by Activity Tracking and other modules.

 

18.

The Configuration file is reset when performing a Repair option.

DE8231

The following is a list of bugs fixed in AppWall version 7.5.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Failed to decode the &character in configuration files. As a result, the role name “Proxies&Untrusted” was saved and presented as Proxies&amp;Untrusted.

DE21729

2.

Does not detect a double encoded attack.

DE23964

3.

Blocked a legit JSON request with allowed body {}.

DE21592

4.

Memory and CPU utilization significantly increases when processing a huge request line (1000s of characters).

DE6957

The following is a list of bugs fixed in AppWall version 7.4.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1

When Activity Tracking module is set to Active mode, rarely, it may impact legitimate traffic.

DE19558

2.

Upon an HTTP RFC parsing violation, a security event may not include the source IP address of the attack source.

DE19870

3.

Several Database Security Filter bugs, when both regular expression refinements and explicit refinements on parameter name are handled inaccurately. Now, when an explicit refinement is added on top of an existing regular expression refinement for the same parameter on the same page, the new refinement is merged into the already existing regular expression.

DE21308

DE22744

DE22863

DE22472

4.

Parameters security filter may cause false positives when the parameter contained the char “ ‘ “. This special character is not encoded properly in the configuration, resulting in a failure of the regular expression match.

DE17387

5.

Rarely, when a POST request with JSON body is decoded and inspected by the Database Security Filter, a failure occurs.

DE17571

6.

Rarely, under specific scenarios, the AppWall Management Application does not refine a SafeReply security event from the Forensics view.

DE18217

7.

Cannot delete a user group that has no reference in the security policy.

DE18859

Item Description Bug Number   AppWall Gateway   8. BruteForce security filter may cause failure

Item

Description

Bug Number

 

AppWall Gateway

 

8.

BruteForce security filter may cause failure under specific configuration conditions.

DE18961

9.

Dashboard activity graphs under the Tunnels view are not refreshed properly.

DE19224

10.

Failures during importing a tunnel configuration from a file.

DE19288

11.

Some JSON parsing violations are not properly mapped to the compatible paring exception. For the patter {_!RmEndMessage_} Disabling JSON parsing was required rather than just "Allow curly brackets after JSON block".

DE19806

12.

Fails to detect Scraping attack in Activity Tracking module when the protected URI is defined with capital letters.

DE21184

13.

When HTTP message body size is set to a 10 digits value (e.g. 9000000000), the system used the default value of 45,056.

DE20289

14.

Newly-added tunnels are not presented under the Default Web Application view.

DE21235

15.

Application Path policy distribution causes an AppWall Management Application exception failing the distribution operation.

DE21384

16.

Adding a Database refinement for exclude rules causes AppWall Management Application exception failing the operation

DE23714

17.

Activity Tracking mechanism generates DNS reverse lookups to exclude good bots from the detection process. A short timeout of 3 seconds may lead to system log errors notifying about DNS lookup failure. The default value is now 5 seconds and the administrator can configure it to longer timeouts.

DE18890

The following is a list of bugs fixed in AppWall version 7.3.4:

 

Item

Description

Bug Number

 

AppWall Gateway

 

18.

When configured in Passive mode, Session filter removes cookies.

19.

Always blocks source IP failed to work.

20.

After upgrade to 7.3.2, tunnel initialization failed on a Cluster node.

21.

HTTP request which were expected to be blocked by AllowList security filter were not blocked when the folder name includes a dot (e.g. http://www.host.com/index.php/exxx).

22.

Blank error message were occasionally shown when saving configuration changes.

Item Description Bug Number   AppWall Gateway   23. Database Security Filter may apply

Item

Description

Bug Number

 

AppWall Gateway

 

23.

Database Security Filter may apply optimization process on the refinements generated automatically, using a parameter trimming mechanism, to reduce the number of refinements. When processing HTTP requests with JSON body, the JSON structure was not handled properly by the Database security filter when the trimming mechanism is enabled. This may lead to blocking legitimate request resulting with false positives.

24.

25.

26.

The following is a list of bugs fixed in AppWall version 7.3.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Under certain conditions, signaling to DefensePro in monitor (out-of-path) mode may cause an AppWall failure.

DE16309

2.

Under certain conditions, when AppWall is working in monitor (out-of- path) mode, source blocking signal to DefensePro is not sent.

DE16158

3.

Under certain conditions, AppWall fails to un-block IPs from DefensePro after the blocking period is over.

DE15196

4.

Under certain conditions, database security filter refinements containing regular expressions are not taken into consideration blocking legitimate traffic.

DE14942

DE15026

5.

Under certain conditions, upgrading from an older version will cause database security filter refinements to be removed.

DE16297

6.

Under certain conditions, request that are matched by multiple database security filter refinements are blocked by the filter regardless of the refinement.

DE15536

7.

AppWall PCI Compliance report shows session security filter as disabled, while actually enabled.

DE12574

8.

Under certain conditions, tunnel working in passive mode will close connections that exceed the HTTP max body size parameter.

DE16818

9.

Under certain conditions, tunnel working in passive mode will not pass a request containing a HTTP parsing error to the protected entity.

DE12442

10.

Under certain conditions, AppWall in monitor (out-of-path) mode may experience a failure.

Item Description Bug Number   AppWall Gateway   11. Vision shows wrong "deployed in"

Item

Description

Bug Number

 

AppWall Gateway

 

11.

Vision shows wrong "deployed in" mode when connecting to AppWall deployed in monitor mode.

12.

After the blocking period time, AppWall may fail to unblock the Singled IP sources in DefensePro. In a related scenario, AppWall may fail to block the attack source on a subsequent signaling flow.

DE18004

DE18291

13.

Response data is greyed out in Forensics view.

DE14059

14.

Unable to create custom pattern for Safe Reply security filter.

DE15797

15.

AppWall initialization error due to problem in .lrn file.

DE16194

The following is a list of bugs fixed in AppWall version 7.1.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Under certain conditions, AppWall truncates cookies.

DE15586

2.

Under certain conditions, HTTP pipelining in SSL sessions may cause an AppWall failure

DE14980

3.

Unable to add a Gateway to the Cluster Manager on an encrypted connection.

DE8185

4.

AppWall management Application may not display correctly large response data in the security forensics.

DE9846

5.

Failure in APSolute Vision may lead to an AppWall failure

DE14856

6.

SYNC_START error when adding a new node to a cluster environment

DE8930

7.

AppWall management Application is not saving ADV configuration file changed via the configuration file editor

DE9487

The following is a list of bugs fixed in AppWall version 6.6.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Under certain conditions, HTTPS tunnels in passive mode may cause an AppWall failure.

DE14710

The following is a list of bugs fixed in AppWall version 6.6.1: Item Description Bug

The following is a list of bugs fixed in AppWall version 6.6.1:

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Under certain conditions no response data is shown in the security event log.

DE9163

2.

Under certain conditions HTTP HEAD requests are blocked.

DE13333

3.

Setting the HTTP response headers size limit to zero results in AppWall blocking responses.

DE12889

4.

HTTP POST requests with content-type application/JavaScript are parsed as JSON requests even when they contain no JSON body.

DE13321

5.

Vulnerability Security Filter doesn’t apply specific header limitations for certain patterns. This could result in false positives for patterns such as

DE12920

9841.

6.

AppWall management Java applet doesn’t open in Ubuntu-based machines.

DE10974

7.

Issue with configuring an external security page.

DE10854

8.

JSON parsing blocks JSON with numbers exceeding the 32bit integer max value.

DE8888

9.

Cluster-Node sync issues may occur with very large Allow List security filter settings (when AllowList.adv size is over 2 MB).

DE8702

10.

Under certain conditions AppWall sends SYSLOG reports to APSolute Vision over the service interface.

DE10443

11.

AppWall closes the connection for HTTP Parsing error in HTTP POST request instead of returning a security page.

DE10983

12.

Quick-Click refinement of directory listing events may not work.

DE4179

13.

In passive mode, HTTP RFC violation events are not shown with the X- Forwarded-For (Layer 7) IP address.

DE13576

The following is a list of bugs fixed in AppWall version 6.5.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

After upgrade to 6.4.1 management interface IP address is changed to

DE6770

127.0.0.1.

2.

IP Blocking wildcard based setting in the never block list is not enforced

DE6981

3.

Under certain scenarios, Parameters filter manual refinement may cause duplication of page references in configuration resulting in initialization error.

DE7522

Item Description Bug Number   AppWall Gateway   4. Blocked a legitimate request when it

Item

Description

Bug Number

 

AppWall Gateway

 

4.

Blocked a legitimate request when it contains more than one parameter that match a pre-defined regex refinement

DE6890

5.

When Auto Policy Generation module adds a vulnerability refinement for a custom pattern rule, the refinement may have ID 0 values resulting in initialization error.

DE7165

6.

When reviewing the Security Logs in the Cluster Manager, logs of nodes may not show request data.

DE7214

7.

A “Viewer” user cannot edit his own password.

DE5860

8.

When clicking “Request Data” button the mouse curser freezes for several seconds.

DE8918

9.

Allow List filter does not let methods other than GET or POST be configured

DE9478

10.

JSON parsing failure (e.g. as a result of non-valid structure) with sensitive parameters within the JSON object, may cause inconsistent behavior.

DE9147

11.

Regular expression based patters in Safe Reply security filter are not working properly.

DE5943

12.

Import of SSL certificates in PEM format into AppWall Monitor may cause an AppWall failure.

DE6611

13.

AppWall Management Application exception when trying to activate Hotlink security settings.

DE6768

14.

AppWall Management Application exception when trying to add custom pattern in Vulnerabilities security filter

DE8104

15.

AppWall Management Application exception when trying to edit Allow List refinement.

DE8610

The following is a list of bugs fixed in AppWall version 6.4.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

AppWall occasionally crashes during apply operations.

DE2722

2.

Certificate DB is corrupted after upgrade.

DE3880

3.

Exception when configuring refinement under global session filter on the host level.

DE4438

4.

Database quick click refinement parameters should be copied from existing "all other pages" refinements.

DE4459

5.

AppWall crashes when Vision reporter is enabled.

DE4690

6.

IP addresses and default routes assigned to bond interfaces are removed on reboot.

DE5860

Item Description Bug Number   AppWall Gateway   7. When clicking “Request Data” button the

Item

Description

Bug Number

 

AppWall Gateway

 

7.

When clicking “Request Data” button the mouse curser freezes for several seconds.

DE6044

8.

A request with a double slash produces an RFC violation security event.

DE6045

9.

Creating a bond does not work and the AppWall Management Application show errors.

DE5276

10.

Events are not saved to the event database.

DE2047

11.

AppWall crashes when importing a certificate.

DE3511

12.

When AppWall receives a HEAD request it sends GET to the Web server.

DE4465

13.

All MNG-Server-Connections addresses change to ethMNG after upgrade.

DE4970

14.

XFF addresses are not extracted in tunnel events.

US4704

15.

GET requests to security pages contain content-length headers.

DE4463

16.

BypassExtentions.cfg file is not upgraded when restoring old configuration.

DE2053

17.

SSO /w SharePoint does not work.

US6894

18.

Monitor fails to see TLS 1.2 traffic.

US6889

19.

Service default route is removed from the routing table when changing the bond hash policy on AppWall.

DE5383

The following is a list of bugs fixed in AppWall version 6.2.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Added auto-detection of screen resolution and auto-sizing of dialogs larger than the viewable area. If a dialog is larger than the viewable area, the dialog will automatically be shortened and a scroll bar added.

 

The following is a list of bugs fixed in AppWall version 6.2.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

The order of security filters when manually adding a new Application Path.

prod00216797

2.

There was a memory leak in the AppWall Monitor.

US4552

3.

Reply auto-policy rules (e.g., 302 instead of 404) were not maintained after upgrade.

US5990

4.

When multiple HTTP “Connection” headers were found in an HTTP request, AppWall retained only the first. In some scenarios, where header values were not contradicting (for example, keep-alive and close) AppWall retained both headers.

US6086

Item Description Bug Number   AppWall Gateway   5. When a tunnel is set to

Item

Description

Bug Number

 

AppWall Gateway

 

5.

When a tunnel is set to passive mode, parsing errors were not counted for IP blocking purposes.

US4814

prod00229770

6.

HTTP message sizes in server replies were not optimized when tunnel optimization was checked.

US4547

7.

When AppWall redirects the user to an SSO server, it uses HTTP links, while

DE2263

in

some cases the actual tunnel is HTTPS. A new check-box “Force HTTPS

usage for redirection” was added under the Form Based Authentication tab under the host to address this scenario.

8.

AppWall Management Application now allows adding new refinements to Allow List Auto Policy locked tab.

prod00210890

9.

You can select a Protected Entity or add a new tunnel in bridge mode.

prod00226540

10.

Clicking the filter button on a node’s forensics view in the AppWall Management Application now works properly.

prod00221708

11.

The scenario where a legitimate JSON request was blocked as a non-RFC compliant POST request now works properly.

prod00225338

12.

The error in the configuration of the signature sent to DefensePro once AppWall detects an attack based on X-FORWARDED-FOR header was fixed.

prod00224133

13.

An AppWall Management application exception that occurred under specific configuration scenarios during the login process was fixed.

prod00229733

14.

An AppWall Management application exception when disabling or enabling security filters was fixed.

prod00229254

15.

possible AppWall failure during fallback from primary to secondary Radius server was fixed.

A

prod00231025

16.

An administrative AppWall user of the “Viewer” role can also see the Configuration view.

prod00226931

17.

Various AppWall management application Refresh and view bugs were fixed.

prod00228648

prod00227620

 

prod00212014

prod00228648

prod00191784

18.

A

wrong DefensePro user password provided in AppWall while configuring

prod00224994

the signaling does not result in locking the user.

19.

An exception preventing form clicking the “Refine” button in Forensics view of a node was fixed.

prod00223836

20.

Compatibility issues with AppWall Management application with JRE version 8 update 25.

prod00225118

Item Description Bug Number   AppWall Gateway   21. When an Auto Policy mode is

Item

Description

Bug Number

 

AppWall Gateway

 

21.

When an Auto Policy mode is set to “Known Types of Attacks”, Database security filter generates automatically only "Apply to all other page" refinements.

prod00190723

22.

When clicking the “Refine” button in the Forensics view on and HTTP parsing violation event, the URL is stripped form the query parameters to refer only to the Web page.

prod00185553

23.

When refining a database security filter event with "Apply to All Other Pages”, the Refine options for all other pages in the logs are no longer available.

prod00173733

24.

It is now possible to run an Application Path level policy distribution from an AppWall server to itself.

prod00159160

25.

Bugs related to wrong red coloring of left-hand side tree view (indicating missing or wrong configuration) of nodes that are properly configured was fixed.

prod00222187

26.

Added a counter to the Blocked IP’s table in the IP blocking module.

prod00220270

27.

The order of the Application Paths list in a host was fixed.

prod00205166

The following is a list of bugs fixed in AppWall version 5.8.9:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

An HTTP request with a very long start line sometimes led to an AppWall failure.

prod00223054

2.

When processing an HTTP request with a space character within a cookie value, the cookie was not parsed properly and was removed from the request forwarded to the Web server.

prod00228767

3.

There were AppWall Management Application exceptions in SSL bridge tunnel settings.

 

4.

Added form-based authentication support for a single login page per domain.

 

5.

Added support to bind to the management interface IP address when connecting to LDAP and Radius servers. If a management Default Gateway was defined and when checking the new “Force Management IP” checkbox, Radius/LDAP traffic is processed only over management interface.

 

6.

Added configurable penalty scores support for HTTP parsing violations.

prod00229772

Item Description Bug Number   AppWall Gateway   7. Vulnerabilities security filters have

Item

Description

Bug Number

 

AppWall Gateway

 

7.

Vulnerabilities security filters have visibility into the rule and signature with additional detailed information from the security policy view.

prod00205081

8.

Transaction ID was not visible in redirection to a security page in the directory listing violations.

 

9.

Security logs for directory listing violations and 500 status code replies that are replaced with a black page did not show the XFF header IP address.

 

10.

There was an AppWall Management Application exception when the Forensics view of an AppWall node was accessed.

prod00221708

11.

There was a possible AppWall failure during the fallback from the primary to the secondary Radius server.

prod00231025

12.

Logging into AppWall with a Radius user when AppWall was inspecting very high traffic volume may lead to an AppWall failure.

prod00147290

13.

A high rate of security log generation (for example, high attack traffic volume) may lead to a memory leak in an AppWall Node when sending logs to the Cluster Manager. This issue was introduced in version 5.8.3.

prod00147290

14.

Parsing properties violations in passive mode tunnel caused IP blocking.

prod00229770

The following is a list of bugs fixed in AppWall version 5.8.8:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

AppWall Management Application login form works properly with Java 8.

prod00225118

2.

Most of the “Networking Problems” events were found to be false alarm not reflecting any practical networking impact and were therefore removed. A log file describing a scenario with connectivity issues is generated.

prod00224657

3.

Rarely, the process of launching a new AppWall instance in the event of Apply changes ended with errors which sometimes led to traffic interruption.

prod00225509

4.

Legitimate JSON request (URL-encoded) are no longer blocked as a non- RFC compliant POST request.

prod00225338

5.

Country names that contain an apostrophe (for example, Cote d'Ivoire) are processed properly and do not activate a loop of Database Security filter events.

prod00224776

6.

The Auto Policy Generation process now goes through a sanitation process on learned characters of Application Paths to avoid writing special characters (such as %) into configuration files.

 
characters (such as %) into configuration files.   Release Notes: AppWall version 7.5.5, October 03, 2017
Item Description Bug Number   AppWall Gateway   7. Open SSL was upgrade to version

Item

Description

Bug Number

 

AppWall Gateway

 

7.

Open SSL was upgrade to version 1.0.1j for the proper handling of poodle SSL v3 vulnerability.

prod00226105

8.

The AppWall Management exception when adding a new Bridge Mode tunnel was fixed.

prod00227544

9.

The HTTP and HTTPS bridge tunnel in the AppWall Management Application are presented with support of SSL options.

prod00227447

10.

When selecting the “Demo” mode in the Auto Policy Generation wizard, a warning message “Not for production environment” is shown.

 

The following is a list of bugs fixed in AppWall version 5.8.7:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Corrected HTTP reader parsing to support proper parsing of multiline headers. This issue also relates to ShellShock vulnerability which can take advantage of this parsing process to evade an attack that is split into multiple lines (separated with \r\n).

prod00224529

The following is a list of bugs fixed in AppWall version 5.8.6:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

SSL termination errors do not cause SSL session traffic interruptions (in AppWall stream 5.8.*).

prod00219418

2.

All attack source IPs are properly added to DefensePro layer 3 black list and layer 7 signatures.

prod00211995

3.

Blocked IP are unblocked after penalty time is over.

prod00215013

4.

Improved IP blocking mechanism to handle high attack rate.

prod00217083

5.

Improved simultaneous signaling to multiple DefensePro devices.

prod00217759

prod00211774

prod00218254

6.

Added wildcard support for IP Blocking "Never Block" list.

prod00213386

7.

Fixed Response Data in AppWall Monitor events.

prod00213483

8.

New Cross site scripting signatures added.

prod00219437

Item Description Bug Number   AppWall Gateway   9. DefensePro black list and signature

Item

Description

Bug Number

 

AppWall Gateway

 

9.

DefensePro black list and signature leftovers after attacking IPs are signaled are now properly cleaned once attack is over.

prod00209543

10.

UI refresh fixes related to IP Blocking which may have been shown as disabled while active.

prod00209207

11.

A SafeReply security filter refinement which may have caused AppWall to show "Ended with Errors" message.

prod00206463

12.

Fixed 1012 error message when deleting a parameter from the Global Parameter configuration.

prod00084174

13.

IP address base policy works properly in AppWall Monitor.

prod00212703

14.

A DefensePro “Destination Network” setting is required only for layer 7 signature signaling.

prod00216305

15.

Fixed Throughput info presentation in the Dashboard for AppWall Monitor.

prod00218929

16.

Improved JSON parsing.

prod00219361

17.

Added check button when adding a DefensePro device to validate connectivity and settings.

prod00214322

18.

Fixed handling of configuration change when existing database security filter refinement is changed to "Apply to other pages".

prod00206446

19.

Added "Response Data" in HTTP parsing errors logs in reply.

prod00137313

20.

Improved signaling mechanism to DefensePro.

prod00217088

21.

CPU usage is 100% when applet opens on Dashboard.

prod00210827

22.

IP Blocking "Never Block" form accepts wildcards (e.g. 192.168.6.*).

prod00213386

23.

Added a “Check” connectivity button when adding a DefensePro device.

prod00214322

24.

Fixed "Blocked IPs" form refresh in IP blocking.

prod00209553

25.

Auto Policy with Browsing and Crawling profiles correctly mapped to Production Profile making Auto Policy Generation Process shorter.

prod00218257

The following is a list of bugs fixed in AppWall version 5.8.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Updated the OpenSSL library version in AppWall to version 1.0.1g in order to address the HeartBleed vulnerability (CVE-2014-0160) discovered in the previous OpenSSL 1.0.1 versions. Relevant to versions 5.7.1 through 5.8.1 which use OpenSSL version 1.0.1e.

prod00210190

Item Description Bug Number   AppWall Gateway     Previous versions, using older Open SSL

Item

Description

Bug Number

 

AppWall Gateway

 
 

Previous versions, using older Open SSL versions, are not vulnerable to HeartBleed.

 

2.

AppWall now also masks as sensitive data the XML-formatted Request Data.

prod00193787

The following is a list of bugs fixed in AppWall version 5.8.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Fixed Management Application backward compatibility issues where spaces were not allowed in Web Application, Tunnel and Web server names in versions 5.7.*.

prod00197438

2.

Static routing rule are now properly preserved after the upgrade process. The issue was identified when upgrading from 5.6.* to 5.7.* systems.

prod00197376

3.

After upgrade, you can properly save changes to the configuration, also on Monitor.

prod00206122

4.

An SSL Server Certificate import problem was fixed.

prod00205369

5.

You can edit a cluster node’s listen and forwarded IP addresses in the tunnels.

prod00203158

6.

Fixed an issue of refreshing with a signature update.

prod00198811

7.

AppWall traffic capture tool now properly maintains the number of capture cycles to 20 and limits each capture file to 5 MB.

prod00186478

8.

AppWall Management Application allows enabling Authentication and SSO options only on active tunnels.

prod00203817

9.

Added sorting the "Host Names" by the name option in the tunnels.

prod00197363

10.

AppWall Publisher now correctly indicates when the tunnel is in passive mode in the Syslog messages.

prod00177033

11.

AppWall updater, which was a legacy update system, is removed from the Web Interface. AppWall publisher is not related to the signature update service.

prod00201020

12.

Added Counter to the Tunnel's Host Name tab.

prod00197361

13.

You can add multiple database security filter refinements with "Apply To All Other Pages" in an application path.

prod00173734

14.

Slowloris protection, based on the “Protection against idle-connections DoS” HTTP property setting, is now associated with the IP Blocking mechanism. Thus a source which is hitting the secured application with a Slowloris attack will be blocked by the IP Blocking.

prod00139651

Item Description Bug Number   AppWall Gateway   15. Auto Discovery with a Hebrew folder

Item

Description

Bug Number

 

AppWall Gateway

 

15.

Auto Discovery with a Hebrew folder name appears with readable characters.

prod00208664

16.

Improved latency issues when using AppWall Management Application to manage remote AppWall servers.

prod00198116

17.

Added support for Auto Policy Analysis rules to address scenarios where a "Page was not found" is not always a 404 response.

prod00200684

18.

When creating an SSO server with an HTTPS tunnel, the "Secure" cookie is no longer checked automatically and the SSO client now works properly.

prod00198117

19.

Improved support for Internet Explorer with SSO deployment scenarios.

prod00197477

20.

SafeReply security filter False Positive in Social Security Numbers is fixed.

prod00190127

21.

Fixed a bug in AppWall Management Application related to the LDAP browsing process.

prod00189015

22.

Fixed a bug which may rarely cause an AppWall failure during SSL traffic processing.

prod00188998

23.

When reply security filters are not enabled (e.g. no Safe Reply) and the security page is a static HTML page, the transaction ID is properly presented with the injected JavaScript.

prod00179575

24.

Added a Forensics Filter based on a Web role.

prod00187586

25.

Fixed a bug where in a multi-tenancy configuration, an application owner and viewer have access to view refinements of other Web applications.

prod00170841

26.

AppWall’s internal Web daemon server certificate is renewed.

prod00167660

27.

When there is no Web application defined in the AppWall policy, AppWall does not fail.

prod00201492

28.

Alerts sent to Vision Reporter are properly sanitized from attack information.

prod00205601

The following is a list of bugs fixed in AppWall version 5.7.6:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

SSL termination errors do not cause SSL session traffic interruptions.

prod00219418

The following is a list of bugs fixed in AppWall version 5.7.5: Item Description Bug

The following is a list of bugs fixed in AppWall version 5.7.5:

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Updated OpenSSL library version in AppWall to version 1.0.1h in order to address the HeartBleed vulnerability (CVE-2014-0160) discovered in the previous OpenSSL 1.0.1 versions.

prod00210190

2.

Allows adding multiple database security filter refinements with "Apply To All Other Pages" in an application path.

prod00173734

3.

IP blocking works properly.

 

The following is a list of bugs fixed in AppWall version 5.7.3:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

On-board bridge network bypass (fail open) is no longer on when the working mode is set to Reverse Proxy. This had happened when enabling Fail-Open in Bridge mode and then switching back to Reverse Proxy mode.

prod00200547

2.

Auto-Policy Generation is now properly disabled when disabled in all application paths in all Web applications.

prod00201953

3.

Static routing rules may have disappeared after reboot.

prod00197376

4.

Potential failure in AppWall upon HTTP parsing error when default Web App is not enabled was fixed.

prod00201492

5.

Applet certificate is now valid until 2017.

 

The following is a list of bugs fixed in AppWall version 5.7.2:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

Content-Length header values are properly scanned and validated according to the security policy.

prod00190905

2.

The cluster manager now properly synchronizes the configuration to the nodes, even when the last modified date of a file is in the future.

prod00190552

3.

The Policy Distribution wizard running on a Windows device with primary language other than English is working properly.

prod00193844

4.

When enabling a TLS 1.2 in an AppWall tunnel, the application is no longer BEAST vulnerable.

prod00168171

Item Description Bug Number   AppWall Gateway   5. The cluster.cfg file on a node

Item

Description

Bug Number

 

AppWall Gateway

 

5.

The cluster.cfg file on a node is now visible using the Configuration File Editor.

prod00193561

6.

Session cookie refinements are mapped properly to the correct tunnel\host.

prod00185513

7.

For HTTP RFC and parsing violations events, the sources IP address presented in the log is the IP address as retrieved from the X-FORWARDED- FOR header.

prod00178640

8.

The publisher.cfg configuration file is part of the configuration backup.

prod00186701

9.

HEAD requests sent by Web clients are now replied to without a body, only start line and headers.

prod00196067

10.

Resubmit credentials, when SSO client page contains special tags, is working properly.

 

The following is a list of bugs fixed in AppWall version 5.7.1:

 

Item

Description

Bug Number

 

AppWall Gateway

 

1.

The AllowList security filter does not learn non-legitimate HTTP method names which resulted in a broken AllowList configuration file.

prod00189899

2.

You can open ethSRV and ethMNG addresses for cluster control without the need to change the Cluster Manager IP address in the Cluster.cfg file.

prod00186776

3.

The Auto Policy Generation settings in the Filter table are disabled when Auto Policy Generation is disabled for the Application Path.

prod00184571

4.

The AppWall Management Application warns to "save" when setting Publishing Rules and exiting the screen.

prod00165888

5.

The dashboard presents correct IP addresses for the cluster nodes.

prod00174692

6.

The Cluster Manager synchronizes the users.cfg file. All user credential modifications or processes of adding/deleting a user on the Cluster Manager are synchronized with the nodes.

prod00152077

7.

The x-country-code HTTP header (mobile devices header) does not cause false positives.

prod00187740

8.

When Auto Policy is enabled on an application path, AppWall properly generates security events for the IP role.

prod00187887

9.

Viewer users can add new application paths.

prod00177079

10.

Dashboard statistics (max values) reset after applying or restarting.

prod00177590

11.

You can select a page in the forensics logs.

prod00171345

Item Description Bug Number   AppWall Gateway   12. The "Illegal Combination" message

Item

Description

Bug Number

 

AppWall Gateway

 

12.

The "Illegal Combination" message in Auto Policy Generation indicates the specific problem.

prod00187714

13.

Refresh issues and long response times in Auto Discovery, when processing large tree structures, are resolved.

prod00089183

prod00175768

 

prod00142113

14.

The AppWall Management Application properly displays parameter values in the Auto Discovery view.

prod00141092

15.

Support for VLAN tagged environment is supported.

prod00168303

16.

Watchdog log events are aligned with the configured local time zone.

prod00191506

17.

User tracking works properly with IP based roles.

prod00188196

18.

The Apache daemon is not affected by the log rotation process.

prod00178883

19.

AppWall signature update requests contain only a single User-Agent header.

prod00178778

20.

All relevant information, including references to external sources, is properly presented for Vulnerabilities security events.

prod00154151

21.

Upon an unsuccessful login attempt, AppWall properly indicates the username.

prod00151281

22.

You can filter security events for Passive and Active events.

prod00127152

Known Limitations

The following are known limitations for this version:

Item

Description

 

AppWall Gateway

1.

AppWall in monitor mode cannot work with Perfect Forward Secrecy (i.e. Diffie-Hellman ciphers).

2.

AppWall Authentication Gateway and SSO may not be backward compatible with previous versions. Customers using the Authentication Gateway should contact Radware Technical Support prior to upgrading.

3.

Under the condition where multiple Database Security Filter refinements will match on the same request only the first refinement will be considered. This is relevant for the case where a refinement containing regular expression is created.

Item Description   AppWall Gateway 4. When backing up the configuration on a Cluster Manager,

Item

Description

 

AppWall Gateway

4.

When backing up the configuration on a Cluster Manager, the cluster.cfg configuration file that stores the nodes in the cluster is being backed-up. However, when restoring the configuration backup this file is not restored as this may cause challenges when restoring on a device different from the one where the backup was taken. This may cause configuration inconsistencies. If the restore operation is on the original Cluster Manager from where the backup was taken, you can manually restore the Cluster.cfg file to preserve the full configuration.

North America Radware Inc. 575 Corporate Drive Mahwah, NJ 07430 Tel: +1-888-234-5763 International Radware Ltd.
North America Radware Inc. 575 Corporate Drive Mahwah, NJ 07430 Tel: +1-888-234-5763 International Radware Ltd.

North America Radware Inc. 575 Corporate Drive Mahwah, NJ 07430 Tel: +1-888-234-5763

International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666

© 2017Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the USA.

the property of their respective owners. Printed in the USA. Release Notes: AppWall version 7.5.5, October