Fixed Issues and Other Changes

Installation and Upgrading

Fixed an issue which could lead to rejection of self-signed admin SSL certificate by prospective clients because of absence of subject alternative name extension in the certificate.

Administrative Server

Fixed an issue where the 'adminport' setting could not be changed using the Admin UI.

Added X-Content-Type-Options: nosniff header in all responses for the admin server UI to enable the additional security protection measures in user agent where they are supported.

SOAP API

The version of the expat XML parser library used in the Administration Server has been increased to 2.4.1.

Connection Processing

Fixed an issue where the 'max_connections_pernode' setting could cause some requests to wait for longer than needed to restrict the number of connections to nodes.

Pools

Fixed an issue when setting max_connections_per_node, could cause a child process crash when a request is made to a pool with no working nodes.

Fixed an issue where the connection/transaction counters for a draining pool node could fail to decrease when a connection/transaction to a pool node is closed/completed. If the node was then reactivated the discrepancy in the counters could cause the traffic manager to cap the number of connections/transactions to the pool node to be much less than the configuration max_connections_pernode or max_transactions_per_node.

Fault Tolerance

Fixed an issue where vTM doesn't honor the flipper!use_bindip setting for binding the flipper port to a single IP Address following a software restart.

Service Protection

Fixed an issue that a client can establish more than max_1_connections connections to the vTM once some HTTP/1.x connections from the same client have been rejected due to being capped by max_1_connection.

Global Load Balancing

Fixed an issue where a request rule that used the TrafficScript function request.setRemoteIP() on a virtual server configured with GLB could cause the zeus.zxtm child process to restart.

Fixed an issue where a zeus.zxtm child process could restart if the GLB feature was used without a GeoIP database loaded. Where a GLB algorithm with geographic effect is used and no location can be discovered for a DNS query, for example if the source IP address is in a private range, the nearest datacentre calculation will no longer select the datacentre nearest to 0"N 0"E. In this situation DNS answers for any of the datacentres can be returned at random according to their weighting in response to a DNS request made to a GLB virtual server. The locations.cfg configuration file can be used to give geographic locations to private IP ranges.

DNS Server

Fixed an issue where a virtual server using the built-in DNS server could fail to find the most specific case-insensitive match, if a wildcard was present in zone file.

Fixed an issue which prevented the Traffic Manager's built-in DNS server from using DNSSEC NSEC/NSEC3 with resource record types greater than 255.

The Traffic Manager's built-in DNS server now supports CAA records.

SSL/TLS and Cryptography

Fixed an issue where a virtual server receiving an invalid TLS client hello could emit log messages referring to an 'IP Prefix' even when the 'ssl_trust_magic' configuration setting was disabled.

Fixed an issue where a virtual server with 'log!ssl_failures' enabled displayed wrong timings in the event log when a connection timed out during the TLS handshake - the "Client idle since" field now contains the time at which the connection was closed, having failed to complete the TLS handshake.

Logging

Appliance OS

Updated the appliance kernel to version 4.15.0-166.174, and updated packages installed on the appliance. These updates include changes addressing:

CVE-2019-19449 CVE-2020-3702 CVE-2020-16592 CVE-2020-21913
CVE-2020-36322 CVE-2020-36385 CVE-2021-0920 CVE-2021-2341
CVE-2021-2369 CVE-2021-2388 CVE-2021-3487 CVE-2021-3655
CVE-2021-3679 CVE-2021-3732 CVE-2021-3733 CVE-2021-3737
CVE-2021-3743 CVE-2021-3744 CVE-2021-3753 CVE-2021-3759
CVE-2021-3760 CVE-2021-3764 CVE-2021-3778 CVE-2021-3796
CVE-2021-3800 CVE-2021-3903 CVE-2021-3927 CVE-2021-3928
CVE-2021-4002 CVE-2021-20317 CVE-2021-20321 CVE-2021-22543
CVE-2021-25219 CVE-2021-28831 CVE-2021-35550 CVE-2021-35556
CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565
CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588
CVE-2021-35603 CVE-2021-37159 CVE-2021-37576 CVE-2021-38198
CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490
CVE-2021-41864 CVE-2021-42008 CVE-2021-42252 CVE-2021-42374
CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381
CVE-2021-43527

Cloud Platforms

Fixed an issue that appliance upgrade could fail if the appliance's grub2 configuration did not match the disk device that the system booted from.

Fixed an issue preventing the application log details page from loading.

Fixed an issue preventing the download of application logs.

Improved logging when parsing body data.