R81.10 Jumbo Hotfix Take 158

NEW: Implemented support for LDAP queries using Windows Security Identifiers (SIDs) as search criteria.

NEW: Added Generic Data Center support for Quantum Maestro environments.

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.58 to fix CVE-2023-31122, CVE-2023-43622.

UPDATE: Added a defense mechanism against malicious code injections through special HTTP requests. Resolved CVE-2024-24914. Refer to sk182743.

UPDATE: Modified the content of the https://<ip_adress>/license_management/ page.

UPDATE: When deleting a Secondary Multi-Domain Security Management Server, SmartConsole now shows an "After MDS '<MDS name>' is deleted, you should delete the Secondary Domain Servers from the Domains and revoke their certificates" message.

UPDATE: Enhanced the Access Control log for "Accept" actions with initial matched layers of "IoT" or "Playblocks":

The "Layer Name" field now shows the admin-configured layer, alongside Rule Name and Rule Number, allowing administrators to view their preferred match layer rather than defaulting to the first matched layer or inline rule. This change improves visibility into the specific security policy components responsible for accepting traffic.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE: The Mobile Access Portal is no longer compatible with the Chrome browser on iOS and Android mobile devices.

UPDATE: Extended the "allowed-client" setting to enforce IP restrictions for both password and SSH key authentication methods, providing more comprehensive access control.

UPDATE: SIP over UDP requests and responses may be dispatched to different firewall instances when a single-direction rule is defined in the Rule Base, potentially causing returned SIP traffic to be dropped as an unknown connection. To address this, a new global parameter "sip_forward_if_needed" is introduced (disabled by default). When enabled, the Security Gateway forwards responses to the appropriate request instances. Refer to sk182667.

UPDATE: New features and improvements are released in Take 114 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 97 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

• Requires additional configuration and R81.10 SmartConsole Build 426 or higher. Refer to sk181630.

In some scenarios, an upgrade of Security Management Server or Multi-Domain Security Management Server fails with the "Failed: upgrade of "DOMAIN_NAME". For more details see upgrade logs below" error in the upgrade report.

• The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

In rare scenarios, the CPCA process on the Security Management Server / Domain Management Server may exit unexpectedly, creating a core dump file. Refer to sk183101.

Objects Explorer search fails with "Error retrieving results" when more than twenty thousand IP addresses match the search criteria.

The UPDATE_INSPECT_FILES process of Upgrade Tools may exit with a core dump.

The "domains_tool -report" command may fail if more than sixteen host objects are defined as DNS Servers in the environment.

In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running with "details-level full".

In rare scenarios, login to the Security Management Server may fail with timeout and the FWM process on the Management Server may unexpectedly exit, creating a core dump file.

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

In rare scenarios, publishing a session in SmartConsole fails with the "got at least one duplicate UID in requested list, duplicates UIDs: [XXX]" error.

The "set simple-cluster" Management API command with the "vpn-settings.vpn-domain" parameter succeeds, but the VPN Domain is not set.

Upgrade of the Multi-Domain Security Management Server may fail with the error "Folder object not found".

• The fix requires the upgrade to be done using a Blink image or the Advanced Upgrade method.

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

In rare scenarios, empty log list may be displayed when selecting a log file to view in SmartConsole.

When adding a table widget to a SmartView report:

• The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

• The "Malware Action" filter may appear twice in the picker.

In some scenarios, in Multi-Domain Security Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

In some scenarios, websites that use HTTP2 protocol do not load properly.

In some scenarios, adding sequential IP addresses as MDPS task addresses may fail.

The CPWD daemon does not restart automatically.

Security Gateway running in SecureXL User Mode (UPPAK) may crash during driver removal showing "m_free: mbuf doublefree" in the backtrace.

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

In rare scenarios, when HTTPS Inspection is enabled, the FWK process may unexpectedly exit due to memory violation.

The Anti-Virus Blade fails to parse IoC feeds that contain IPv6 addresses.

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

In a rare scenario, the Security Gateway may crash due to memory corruption caused by the Anti-Virus Blade.

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

A race condition may occur in a large scale VSX Cluster environment and SecureXL User Mode (UPPAK) is enabled.

The USIM process may unexpectedly exit.

In rare scenarios, the Security Gateway crashes when the interface goes down right before it transmits packets out.

Some packets on connections to bonded VLAN interfaces may be dropped because of missing interface info.

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

Duo management reports display incorrect access source locations due to Security Gateways providing inverted IP addresses during the two-factor authentication challenge response process. Refer to sk181783.

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

Tunnel testing may fail after an upgrade. Refer to sk182267.

In rare scenarios, the CPD process of the default Virtual System on a VSX Gateway (VS0) gets stuck.

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

When running the "set user username force-password-change yes" command in gClish on Scalable Platforms, the new configuration may not be applied.

The "distutil" script may take a long time to run in an environment with many VS's.