Kemp was pleased to announce the availability of LMOS Version 220.127.116.11 to all customers on September 15, 2021. The major themes of the release are Configuration, Stability, Security, Capacity, and Performance. Below, I’ll describe the most important features and fixes in each area. For a full description of the release, please see the Release Notes.
- AWS Platform Updates: Kemp has updated its support for AWS instance types to enable customers to move to newer, more powerful, and, in some cases, cheaper machine instances based on AWS’ Nitro technology. The new supported instance types are: C5d, M5d, R5d, T3a. Please see the release notes for the availability of these instance sizes for the various LoadMaster AWS offerings. Also see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html for more information on these and other Nitro-based instances.
- Web Application Firewall (WAF): Provided expanded configuration options for the TLS version for WAF log export, and for configuring the OWASP POST maximum body size with a maximum setting of 10MB.
- Network Telemetry: An updated version of the Network Telemetry add-on package is available with LMOS 7.2.55 that enhances VLAN configuration for export of flow data by the Flowmon Probe. VLANs on network interfaces that do not have an IP address are now automatically recognized by Network Telemetry, requiring no further configuration steps. The LoadMaster Dashboard Installer for Collector has also been updated to provide automatic creation of the configuration file as well as recognition of SubVS architecture in Flowmon Collector Dashboards, among other improvements. [Note that the add-on is installed separately from 18.104.22.168. See the section at the end of this blog.]
- Web Application Firewall (WAF):
- Addressed an issue with connection timeouts that caused the log message “Hit connection limit 64000” to appear and WAF processing to stop when a remote real server fails.
- Fixed issues that could cause a segmentation fault or reboot when the WAF configuration is modified while there is traffic passing through the WAF engine.
- Fixed an issue that caused response rules to not be processed properly, resulting in WAF not blocking attacks that should have been blocked.
- QoS / Client Limiting:
- Fixed an issue that could cause limiting to thrash between limiting and not limiting a client.
- Fixed an issue that could cause a kernel panic when limiting UDP traffic.
- ESP Post-Pass Authentication: Fixed an issue that broke the “Post-Pass” authentication method (and hence broke pre-authentication for Citrix Workspace App deployments).
- Single Sign On – LDAP: Fixed issues associated with LDAP SSO no longer working after an upgrade to LMOS 7.2.53. The issues appeared in conjunction with log messages like the following:
ssomgr: … Couldn’t bind: [LDAP-AD] [ip-addresses-omitted]: 32, No such object
ssomgr: do_sso_ldap_check: Could not get ldap_result for (credentials-omitted): 32 [No such object]
- SSL Renegotiation Disabled By Default: Starting with LMOS 7.2.55, the System Configuration > Miscellaneous Options > L7 Configuration > SSL Renegotiation setting will be disabled by default, as a recommended security best practice, as there are many published vulnerabilities with renegotiation (and TLS 1.3 removes support for it completely). Note that this change applies to both new deployments and upgrades. Customers who have SSL Renegotiation currently enabled will need to re-enable it after upgrade.
- Ciphers Use for Re-encryption: In previous releases, the ciphers used for re-encryption connections to Real Servers was not configurable. All re-encryption connections now use the same set of ciphers used by other outbound connections, as specified by the Certificates & Security >Remote Access > Outbound Connection Cipher Set setting.
- Update OpenSSL to Version 1.1.1k: The version of OpenSSL on LoadMaster has been updated from 1.1.1 (no letter) to 1.1.1k, to address various issues in the previously supported release. See the OpenSSL 1.1.1 Release Notes page for more information on the differences between 1.1.1k and previous releases.
- Security Vulnerailities:
- Templates: Closed a vulnerability in the UI/API that allows a malicious user to upload a specially crafted template to the system and place unauthorized content on the filesystem.
- Console CLI: Closed a vulnerability that allows an authenticated user to get access to a privileged shell.
- LDAP UI Access: Closed a vulnerability that could allow an invalid user to get UI access using specially crafted credentials.
- GEO FQDNs, Records, IP Addresses: In previous releases, the number of Fully Qualified Domain Names (FQDNs) that can be defined is limited to 256 total FQDNs. With this release, significant improvements to processing and performance have resulted in the removal of this limitation. The practical limit to the number of FQDNs supported will be determined by available system resources (including the amount of load balanced traffic being handled by LoadMaster). The global limit of 1024 IP addresses and records has also been removed.
- Logging – ESP Performance: Addressed issues with date calculations that could cause ESP logging to consume significant CPU resources.
- HTTP/2 Performance: Fixed issues related to clients that are accepting data slower than real servers are sending data that could negatively affect HTTP/2 performance.
- Content Response Rules: Fixed an issue that caused performance issues when attempting to apply a response rule to an empty file.
- GEO UI Performance: Alongside the capacity improvements to GEO mentioned above, the FQDN UI has been modified to improve responsiveness when larger numbers of FQDNs are defined, resulting in significantly better UI performance compared to previous releases.
Where Can I Get it?
- LMOS 22.214.171.124 can be downloaded from the LoadMaster Latest Firmware page.
- The latest Network Telemetry Add-On can be initially installed from the Network Telemetry UI page. To upgrade an already installed add-on, download the latest version from the Other Downloads page and then update the add-on from the System Configuration System Administration Update Software UI page.
The latest LoadMaster Dashboard Installer for Collector is available from the Other Downloads page. See the documentation included in the download for information on using the script.