R81 Jumbo Hotfix Take 106

NEW: Threat Emulation in Endpoint Security Clients version E87.60 and higher now supports the ONE, XAR, and WSF file formats.

UPDATE: Apache HTTPD version was updated from 2.4.55 to 2.4.61 to fix: CVE-2023-31122, CVE-2023-43622, CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573.

UPDATE: A patch on top of OpenSSL 1.1.1w to fix CVE-2024-2511. Refer to sk182320.

UPDATE: Resolved CVE-2024-3596 - Blast-RADIUS attacks. Refer to sk182516 > Login to Gaia Portal.

UPDATE: Added SHA256 fingerprints to certificate objects to mitigate the risk of hash collisions and enhance trust when utilizing the fingerprint, encoded with English words, as a verification mechanism.

UPDATE: JRE is updated from version 8.0_8.10 to version 8.0_8.21.

UPDATE: The "set threat-exception" Management API command now includes the "protection-or-site" parameter. When specified, this parameter adds new values to the existing list of protections or sites, instead of overwriting the current entries.

UPDATE: Added ability to increase/decrease DNS cache table size.

UPDATE: Added ability to increase/decrease DNS cache table size.

UPDATE: Added the "trackSettings.forensics" parameter to the "threat-rule" Management API command to enable and disable the "forensics" option in the "Track" column. Syntax example: "mgmt_cli add threat-rule layer 'Standard Threat Prevention' position 1 track-settings.forensics false -r true".

UPDATE: When URL Filtering operates in Background Mode and encounters an unclassified connection, instead of being approved automatically, such connection is now accepted or rejected based on Access Rule Base execution, and listed under the "unknown" category.

UPDATE: SSL Network Extender is updated to version 80008409.

UPDATE: VPN connections are now synchronized to all members of the Security Group by default. The default value of the "vpn_sync_to_all" kernel parameter is set to "1".

UPDATE: Added Take 21 of Public Cloud CA Bundle. Refer to sk172188.

UPDATE: Added Update 18 and Update 19 of HealthCheck Point (HCP) Release. Refer to sk171436.

SmartConsole may freeze when selecting a client under Security Gateway object > Identity Awareness tab > RADIUS Accounting Settings.

• Requires additional configuration and R81 SmartConsole Build 569 or higher. Refer to sk181630.

In rare scenarios, the Management Server upgrade fails during the import stage with "an eclipse error has occurred enable logging on EclipseLinkExceptionHandler to see full error".

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

Export of a list of objects from the Global Object Explorer fails with the "Export policy is not supported when rule name is in a format of UUID" error message.

Log queries fail with the error "Problems have occurred during search" when Domain migration is in progress. This occurs specifically during the execution of "export-management" or "import-management" Management API commands.

"Mapping of Data Center [xxxx] failed. Next mapping is in 300 seconds" errors in the CME logs show failed attempts to scan deleted data centers.

In some scenarios, the FWM process may unexpectedly exit and generate a core dump every few days, when Compliance is enabled and the scheduled full scan is not configured according to sk182507.

In rare scenarios, the API status shows "Automatic Start: Disabled" even though the automatic start was not disabled manually.

In some scenarios, when searching objects in SmartConsole, not all relevant results are highlighted.

In rare scenarios, login to SmartView web application using the Domain IP address or Domain name fails.

If the $FWDIR/conf/fwm.adtlog file is not valid, the FWM process leaves unused file descriptors, which may affect the Security Management Server performance.

When exporting a policy to a CSV file, the process fails silently if any rule within the policy has a name or comment in UID format. No clear error message is provided to indicate the cause of the failure.

Several Management API commands, such as "show-package" and "install-policy", may fail if running them after the deletion of a cluster member.

When a Domain name (for example, "XXX") is a subset of another Domain name (for example, "XXX-YYY"), the "mdsstop" command may fail to stop a Domain named "XXX-YYY".

In some scenarios, opening new tab in SmartConsole Logging & Monitoring tab fails with "HTTP error 500 - problem accessing smartview/embedded. Reason: Server Error". Refer to sk182732.

In rare scenarios, CPU consumption on the Security Management Server is high and logs are not displayed.

The traffic field in the SmartEvent "Application and URL Filtering" report, specifically in the "High Bandwidth Applications" section, is incorrectly displaying data in petabytes (PB) instead of the expected gigabytes (GB).

In some scenarios, in Multi-Domain Management environments with over 300,000 network objects, the LOG_INDEXER process repeatedly exits if the procedure from sk164452 is not applied.

When adding a table widget to a SmartView report:

• The "Missed Malware Activity" and "Spyware Action" fields may not be possible to pick.

• The "Malware Action" filter may appear twice in the picker. Refer to sk182049.

In SmartView, filtering logs by "event_type" may fail with the "Query failed" error.

In SmartView, some countries are not displayed in the countries picker.

In rare scenarios, the FWD process on the Security Gateway may reach out of memory and produce a core dump file of around 3GB.

In rare scenarios, the CPSEMD process on the SmartEvent Server may unexpectedly exit, creating a core dump file.

The FWD process may exit and cause issues with opening packet capture files on remote members.

In some occasions, redundant errors appear in logs: "fw_inspect_ghtab_bl_ld_sync: invalid FW_INSPECT_GHTAB_BL_LD_SYNC_TABLE_ID".

Incorrect value in the "fwisusfw" register causes improper CPU affinity and dynamic balancing initialization in User Space Firewall mode after an upgrade. Refer to sk182004.

In a VSX Cluster environment, the CPVIEWD daemon may cause a high CPU.

During policy installation, Rule Base internal error drops may be shown in the SmartConsole logs. Logs related to "dynobjs" may be printed in Messages.

A minor memory leak in a process related to the Unified Access Policy Rule Base.

Kernel Memory usage increases persistently each day on a Security Gateway/Security Group when CGNAT is enabled. Refer to sk182140.

A rare race condition may be triggered by the timing and packet patterns of VoIP traffic, and, as a result, the FWK process may restart.

In some scenarios, the Security Gateway offloads connections to SecureXL in error when the initial route lookup could not find a route for it.

A buffer overflow may occur in the HTTP flow, affecting the FWK process.

The Security Gateway may crash after a failure in policy installation.

CRL fetch may fail when passing through a Security Gateway with deep inspection, even if the connection hold is quickly released. CPCA closes the connection prematurely.

SSH DPI may not work because of incorrect parsing of the client hello from a non-standard SSH client.

Anti-Virus fails to parse IoC feeds that contain IPv6 addresses.

In rare scenarios, policy installation may fail after an upgrade of a VSX Gateway.

In some scenarios, policy installation and IPS package updates may take a very long time to finish and cause traffic drops.

When using ICAP, filename handling occasionally fails. As a result Threat Emulation may not be able to process this specific file.

Policy Enforcement Point (PEP) logs show a username after the user session is expired. Refer to sk181553.

In some scenarios, the PEPD process may consume a high CPU because of a high rate of identity propagation.

The fwk.elg file may be flooded with the "DNS_DATA_SOURCE failed on context 201, executing context 366 exception" messages. Refer to sk182606.

IPS may drop an IPv6 TCP local connection.

Multiple internal errors, including file metadata retrieval failures and parsing errors, may be printed in the DLPDA logs.

The DLPU process may unexpectedly exit due to uninitialized memory when Anti-Virus scans files. Refer to sk182030.

Anti-Bot may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.

Web Application names column width is too narrow to fit in the Mobile Access Portal. Refer to sk181774.

The HTTPD process of the Mobile Access Portal may exit with a core dump file.

Cluster members may crash, generating vmcores in /var/log/crash.

After modifying a bond, the Monitored VLANs may disappear. Refer to sk180724.

In some scenarios, the VSX Gateway does not initialize the Virtual System correctly when connected to a Virtual Router or Virtual Switch.

During the deny list update process, there is a temporary gap where no IP addresses are blocked, allowing unwanted traffic to pass through the Security Gateway unfiltered.

In a rare scenario, a memory leak in the adp kernel module may occur during multicast routing assert failures.

When the VSX Gateway is created, the parameter that determines whether VSX mode is enabled or disabled is not set in SecureXL configuration until a reboot is performed.

OSPFv2 graceful restart mechanism fails on broadcast and point-to-multipoint networks due to the omission of an "IP-Address" field in the grace LSA.

A multicast outage may occur during failovers caused by interface flaps.

A multicast outage may occur after a failover triggered by incomplete processing of cluster synchronization messages.

Graceful Restart may end prematurely in OSPF NSSA areas.

Adding multiple VPN tunnels via Clish in Transaction Mode fails, while adding them individually succeeds.

The "cpviewd: unable to read from gpio_nuvoton driver module. snmpd: unable to read from gpio_nuvoton driver module" messages may be printed in /var/log/messages.

After a Jumbo Hotfix Accumulator upgrade, login notifier may be enabled, although it was disabled before the upgrade.

Trap names duplications in chkpnt.mib and chkpnt-trap.mib may cause incorrect values when using SNMP traps.

During high-frequency encryption of packets over a VPN tunnel, the Security Gateway may assign the same sequence number to multiple packets. This causes the receiving VPN peer to mistakenly identify these legitimate packets as replay attacks and drop them.

Configuring a Large Scale VPN (LSV) with IPv6 and establishing a VPN tunnel may cause the FWK process to exit.

Remote Desktop Protocol (RDP) connections may frequently disconnect when network traffic is routed through a combination of medium path, Quality of Service (QoS) controls, and VPN.

During high-volume VPN tunnel initiations, several packets may be dropped with "encrypted packet too big".

Tunnel testing fails after an upgrade. Refer to sk182267.

In a rare scenario, in a Maestro environment, the first packet of the VPN tunnel is lost or has a large delay.

Under a special routing configuration, an active Cluster member may accept portal traffic (on TCP ports 80 and 443) destined to a Standby member IP address.

In a VSX Cluster with IPv6 enabled, after an upgrade, VS's without IPv6 address may fail to install the Access policy.

Memory corruption may occur when a bond interface is configured, leading to a Security Gateway crash with a vmcore or a boot loop.

In the Kubernetes Data Center, the Import window may be stuck in "Initializing" state.

Traffic outage after policy installation on a Maestro Security Group in the VSX mode that works in the Dual Site configuration. Refer to sk182379.

When configuring backup-scheduled/snapshot recurrence via gClish shell with "The <name> job already exists. Please choose another name. Backup schedule failed. The backup will not be scheduled".

In a Maestro environment with the "vpn_sync_to_all" parameter enabled, connection going through a Site to Site VPN to a remote location, may be dropped with "First packet isn't SYN".

See the Important Notes section.