IBM Support

IBM Security Network Protection Firmware Version 5.3.1.2 Release Notes

Fix Readme


Abstract

IBM Security Network Protection Firmware Version 5.3.1.2 is a firmware update for the XGS NGIPS network protection platform. This release provides the following updates to IBM Security Network Protection Firmware Version 5.3.1

Content

X-Press Update 35.065 is included in this firmware update and contains the same security content as X-Press Update 35.062.
Serviceability and support enhancements:
  • Added support for policy migration from IBM Security Network Intrusion Prevention System 4.6.2 to IBM Security Network Protection. 
  • Added the ability to migrate Network Intrusion Prevention System Remote Flow Data Collection policy to Network Protection Flowdata policy
  • Added the ability to migrate Network Intrusion Prevention System NTP Servers policy to Network Protection NTP policy

Note: For updated instructions, see the Security Network IPS policy migration topic in the IBM Knowledge Center.

Fixes for the following Outbound SSL inspection issues:
  • Defect 71864: Man-in-the-Middle (MitM) TLS records goes to Passive logic when MitM fails early, and the connection is abandoned.
  • Defect 72451: SSL session using the SPDY protocol should be abandoned, because IBM does not support the SPDY protocol.
  • Defect 72092: Outbound SSL inspection fails when ClientHello is using V2 Handshake and a length greater than 255 bytes.
  • Defect 72023: Captive portal redirect response can not exceed 256 bytes.
  • Defect 71659: Outbound SSL inspection does not work with SSLv3.
  • Defect 71164: Lack of PMTU discovery support in Outbound SSL inspection. 
  • Defect 70754: Unable to redirect to captive portal if user accesses some specific web sites using HTTPS.
  • Defect 43742: After authenticated, captive portal fails to redirect to the website when using Google Chrome and outbound SSL Inspection.

Note: The Outbound SSL inspection feature does not support the SPDY protocol. See technote 1903522 for more detail.


Fixes not related to Outbound SSL inspection:
  • Defect 72327: Disabled IBM HTTP Server RC4 Cipher by default to prevent Bar Mitzvah: CVE-2015-2808.
  • Defect 70651: Update pamoschecker to latest version.
  • Defect 71789: Signal 49 (Timer Expiration) Observed with Specific UDP Throughput Tests (XGS7100@8x10G).
  • Defect 72486: Appliance SSL Certificate doesn't migrate when updated from firmware version 5.2 to firmware version 5.3.x.x.
  • Defect 72482: The LMI login session is not cleaned up after reboot .
  • Defect 72384: LMI sorting failed on advanced tuning parameter policy.
  • Defect 72077: Captive portal page is not shown when performance level is set to 4 on XGS 5100 appliance.
  • Defect 71714: Misleading "No ports configured" warning displayed on XGS 7100 appliance.
  • Defect 71709: Change housekeeping interval to 25ms to avoid problems with PAM's shared memory reclamation.
  • Defect 71685: Unnecessary custom_lang overhead when loading LMI pages.
  • Defect 71647: Traffic Details By User filter fails when expanded IPv6 address is given.
  • Defect 71509: Wrong response indicated after entering valid allocation values to event log object using web service.
  • Defect 71548: LES post web service doesn't work due to the unnecessary CSRF handling.
  • Defect 71332: Source and Destination are reversed in inbound SSL event.
  • Defect 71114: LCD display unintelligible after hundreds of restarts.
  • Defect 56895: Add tuning parameter dpdk.hash_l4=true to hash flows based on L4 tuples.
  • Security: unzip CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 
  • Security: krb5 CVE-2014-5352 CVE-2014-5353 CVE-2014-5355 CVE-2014-9421 CVE-2014-9422
  • Security: openssl CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216
  • Security: openssl CVE-2015-4000 Logjam
  • Security: java-1.7.0 SR9 CVE-2015-0138 CVE-2015-0192 CVE-2015-0204 CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 CVE-2015-2808

Compatibility

The following web browsers are currently supported by the IBM Security Network Protection 5.3.1.2 local management interface:
  • Internet Explorer 10 or 11
  • Firefox 28 or later
  • Google Chrome 34 or later
To manage IBM Security Network Protection 5.3.1.2 appliances using the SiteProtector System, you must apply the following database service packs:
  • SiteProtector System 3.0 - Install all DBSPs up to and including SP3.0 DBSP 3.0.0.36
  • SiteProtector System 3.1.1 - Install all DBSPs up to and including SP3.1.1 DBSP 3.1.1.18

Installation and Configuration

For step-by-step installation instructions, see the Installing Updates topic in the IBM Knowledge Center: For other configuration instructions, see the following topics in the IBM Knowledge Center:
Known issues

Firmware update 5.3.1.2 contains the following known issues:
  • Changing any alpsd tuning parameters restarts the packet processing process. All links are disabled during the restart process.
  • Large file downloads may stall and eventually fail when downloading over HTTPS and using Outbound SSL Inspection.
  • HTTPS pages may stall and fail to load for clients when using Outbound SSL Inspection.
  • Websites using the SPDY protocol fail to load over HTTPS when using Outbound SSL Inspection. See technote 1903522 for more details.

[{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Firmware","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
24 January 2021

UID

swg21961419

Page Feedback