The following lists show the changes from Airlock Gateway 8.2 to 8.3.
New
NEW: AP-29179 Configure host header for out-of-band health checks (CASE-30967,CASE-32619)
NEW: AP-30938 Allow request limiting per session (CASE-31840,CASE-32941,CASE-34692)
NEW: AP-33467 Automatically add OCSP servers to allowed network endpoints (CASE-33870)
NEW: AP-34645 Path conditions for IP whitelists
NEW: AP-34646 custom-settings for event notifications over HTTP channel (e.g. proxy settings)
NEW: AP-34666 Retrieve logged-in users via REST endpoint (CASE-34917)
NEW: AP-34670 Configure host header sent on logout propagation (CASE-34832)
NEW: AP-35170 Add high security mapping template
NEW: AP-35235 Introduce new deny rule group for bot detection
NEW: AP-35278 Prevent enabling of OCSP stapling when using ACME services
NEW: AP-35453 Add configuration center user role "airlock-readonly"
NEW: AP-35454 Add configuration center user role "airlock-readonly-restricted"
NEW: AP-35455 Add configuration center user role "airlock-config-operator"
NEW: AP-35456 Add configuration center user role "airlock-cert-admin"
NEW: AP-35457 Add configuration center user role "airlock-config-editor"
NEW: AP-35458 Add configuration center user role "airlock-config-applier"
NEW: AP-35473 New deny rule DOR_020 blocks insecure multipart filename extensions in security level strict
NEW: AP-5632 DoS attack prevention for paths (CASE-24057)
NEW: Anomaly Shield Dashboards with drill down functionality for convenient analysis of evaluated traffic
Fixes
FIX: AP-20267 Correctly resize label value input field upon window resize
FIX: AP-26893 Redirect on non standard ports when cancelling password change (CASE-32231)
FIX: AP-31557 Cleanup ACME services DB on relevant changes
FIX: AP-33677 Avoid backend communication errors with client certificates when activating (CASE-34133)
FIX: AP-34744 Pulling of deny-rule group exceptions (CASE-34962, CASE-35490)
FIX: AP-34756 Support authentication when reporting to multiple remote elasticsearch instances (CASE-31742)
FIX: AP-34821 Improved handling of security-headers in Configuration Center
FIX: AP-34875 XSS vulnerability in validator messages
FIX: AP-35004 Ensure that Kibana is running after restore of saved searches and dashboards
FIX: AP-35009 Mapping import with referenced JWKS-Providers
FIX: AP-35078 File descriptors leak if the threat intelligence servers are unreachable
FIX: AP-35268 Allow empty schemas for binary body validators (CASE-35262)
FIX: AP-35379 "Redirect to HTTPS": Support requests with "%3F" in the path
FIX: AP-35431 ext-apache: Better question mark tracking in mod_rewrite to avoid UnsafeAllow3F (CASE-35366)
FIX: AP-35489 Prevent concurrent activations when automatic retraining for Anomaly Shield is enabled (CASE-35325)
FIX: AP-35647 Restart ext-apache on OpenAPI document changes (CASE-35501)
FIX: AP-35795 Ensure that WR-SG-BLOCK-170 gets logged also when error page replacement is enabled (CASE-35583)
Changes
CHG: AP-18799 Add the "Host" header to the log messages WR-SG-BACK-50x and WR-SG-BLOCK-801 (CASE-35067)
CHG: AP-26700 Optimized deny rule XSS_030 reducing the number of false positives (CASE-29782)
CHG: AP-26901 Allow CIDR style networks in allowed network endpoints table (CASE-29859)
CHG: AP-29608 Double max-age value of HSTS header to 31536000 (one year)
CHG: AP-32852 Deny rule SQL_050 no longer blocks tracestate header (CASE-33162)
CHG: AP-33274 Remove X-XSS-Protection Header from default allow list and default response action (CASE-34856)
CHG: AP-34636 Various deny rule evasion fixes
CHG: AP-34783 Remove the Kibana dashboard "GATEWAY Throughput (for licensing)"
CHG: AP-34820 Set SameSite flag on mgt-tomcat session cookies
CHG: AP-34824 Disable autocomplete for sensitive input fields in Configuration Center
CHG: AP-34835 Improve CSRF protection for Configuration Center
CHG: AP-34928 Added separate log message for client abort (CASE-34902)
CHG: AP-35066 sanity deny rules no longer block characters of unicode category "Format"
CHG: AP-35079 Optimized deny rule UNIX_005 reducing the number of false positives (CASE-35191)
CHG: AP-35101 Prohibit unwanted outgoing network traffic with RST instead of silent drops (CASE-35130)
CHG: AP-35184 Improve CSRF protection for Configuration Center REST interface
CHG: AP-35329 Remove support for configurations older than Airlock Gateway 7.7
CHG: AP-35560 Rename and document SG Expert Settings for JWKS client (CASE-35424)
CHG: AP-35586 Deprecating configuration center user role "airlock-supervisor"
CHG: AP-35602 Increase access restrictions for configuration center user role "airlock-auditor"
CHG: AP-35603 Increase access restrictions for configuration center user role "airlock-app-admin"
CHG: AP-35639 Change default search template to "Requests - GATEWAY All Requests" in Kibana log viewer
CHG: AP-35726 Sanity deny rule SAN_030 no longer blocks non-ascii characters in the header value of the User-Agent header
CHG: AP-35760 Change "administrator" to "user" in SY-CCUSER log messages
Updates
UPD: AP-34697 Update to syslog-ng 4.8.0-2
UPD: AP-35318 Update to OpenSSH 8.7p1-38.el9.alma.2 (CVE-2024-6387)
UPD: AP-35328 Update to httpd 2.4.60 (CVE-2024-36387, CVE-2024-38475, CVE-2024-38473, CVE-2024-38477, CVE-2024-39573, CVE-2024-38472)
UPD: AP-35355 Update to OpenSSH 8.7p1-38.el9_4.1.alma.1 (CVE-2024-6409)
UPD: AP-35430 Update to httpd 2.4.62
UPD: AP-35528 Update misc Python libraries (scikit-learn 1.5.2, scipy 1.13.1, numpy 1.26.4, pandas 2.2.3, redis 5.0.2, msgpack 1.1.0)
UPD: AP-35533 Upgrade Elasticsearch/Kibana to 8.15.2
UPD: AP-35609 Update allowlist for bot detection
UPD: AP-35661 Update to OpenSSL 3.0.15
UPD: AP-35665 Update to OpenSSL 3.0.15
UPD: AP-35668 Update to httpd 2.4.62
UPD: AP-35669 Update to Kerberos 1.21.3
UPD: AP-35670 Update to c-icap 0.6.3
UPD: AP-35671 Update OS components
UPD: AP-35675 Update to GnuTLS 3.7.11
UPD: AP-35676 Update to jsoncons 0.177.0
UPD: AP-35679 Update to expat 2.6.3
UPD: AP-35680 Update to libmicrohttpd 1.0.1
UPD: AP-35681 Update misc Javascript libraries
UPD: AP-35683 Update to libcurl 8.10.1
UPD: AP-35684 Update to Redis 7.4.0
UPD: AP-35686 Update to libmaxminddb 1.11.0
UPD: AP-35687 Update to Protobuf 28.2
UPD: AP-35690 Update to SQLite 3.46.1, SQLite-jdbc 3.46.1.0
UPD: AP-35691 Update to nghttp2 1.63.0
UPD: AP-35692 Update geolocation data (DB-IP)
UPD: AP-35693 Update to statsd-exporter 0.27.1
UPD: AP-35696 Update to PCRE2 10.44