================================================================================ Fixlist for IBM Secure Proxy 6.0.0.0 (SSP6000) iFix 01 March 2019 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 6.0.0.0 as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In SSP60000 iFix 1 (March 2019): NONE - In SSP60000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Build 115 Mar 2019 ------------------------------------------------------------------------------- MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * SSP-2968/No APAR (CM) - Allow HTTP response header overrides SSP-3109/SSP-3578 (CM) - Better help in change password screen SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting SSP-3525/No APAR (CM) - SAML 2.0 related field validations SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872758 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * On the Netmap Inbound Node Definition screens for CD, FTP, HTTP, and SFTP, the ability to have peer address patterns which started or ended with *, ex: *.company.com or www.company.* was broken. Also known internally for SSP6000 branch as SSP-3562. SSP-3357 provided REST API support to match the GUI changes. Resolution: Corrected the parser which was keeping these patterns from working. SSP-2968/No APAR (CM) - Allow HTTP response header overrides Resolution: Allow the user to be able to override the default values for these response headers: X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options and Strict-Transport-Security SSP-3109/SSP-3578 (CM) - Better help in change password screen When the password policy is used for CM users, there should be better messages in the change password screen. Resolution: Added popup assistance messages such as, "Your password is required to contain at least one of the following characters `#@$%^&* " And, "Confirm password must match New Password". SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce An internal APPScan revealed that CM GUI sessions were using an insufficient authentication method. Resolution: Now validate the value of the "Referer" header and use a one-time nonce for each submitted form. SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor tab In the CM monitor tab, the Engine status lines were in alphanumeric order but the adapter lines were not. Resolution: Corrected the monitor screen to display the adapters in alphanumeric order. SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters Http headers need to be validated to make sure that values are in ascii format. Resolution: Now validate the HTTP headers for ASCII data. SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies An internal APPScan recommended some updates for HTTP cookies used to access the GUI. Resolution: Now set the domain and path for HTTP cookies containing session identifiers to an appropriately restricted value for the site. SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries The PeSIT protocol netmap for inbound entries was not allowing wildcard patterns, such as "CX1*" or "CX2*", only a full wildcard "*" or full names. Resolution: Now allow the PeSIT netmap to accept peer address patterns. SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting When using the new blacklisting feature introduced in SSP 6.0, the IP address blacklisting works for PeSIT and indicates that the session was rejected because the address was blacklisted. But while the user blacklisting locked the PeSIT user, the log did not say it was because of blacklisting. Resolution: Now put out SSP0511E message for locked userid which indicates the PeSIT account was locked due to blacklisting. SSP-3525/No APAR (CM) - SAML 2.0 related field validations In the Advanced / SSO Configuration screen, the new SAML 2.0 fields introduced in SSP 6.0 were not being validated fully. Resolution: Now do URL validation for - Service Provider ID, External Portal Login URL, and the External Portal Logout URL. Also for Fully Qualified Host Names, added a similar validation for the Primary Destination Address field, which means the FQDN for SSO will not accept any kind of IP pattern or peer address pattern. ** SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SFTP netmap peer address pattern that contained two or more "?" characters was throwing exception *--*java.util.regex.PatternSyntaxException: Dangling meta character. Resolution: Now allow multiple ? characters in the SFTP netmap peer address pattern. SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 Resolution: Add support for Windows 2016 - Upgraded all installers to use InstallAnywhere 2018 SP1. SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders The new HTTP Security Header overrides introduced in SSP-2968 were not being handled correctly by the RESTAPI import tool. Resolution: Modified the SSP 6.0 sysglobals.xsd to accept the httpSecurityHeader & cookie domain fields.