<<<>>> Trend Micro, Inc. June 16, 2015 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) Web Security Virtual Appliance 6.5 Service Pack 1 Critical Patch 2 - Build 1313 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents =================================================================== 1. Overview of this Critical Patch Release 1.1 Files Included in this Release 2. Documentation Set 3. System Requirements 4. Installation/Uninstallation 4.1 Installation 4.2 Uninstallation 5. Post-installation Configuration 6. Known Issues 7. Release History 7.1 Prior Hot Fixes 8. Contact Information 9. About Trend Micro 10. License Agreement =================================================================== 1. Overview of this Critical Patch Release ====================================================================== This critical patch resolves the following issues: Issue 1: (TT-318221) Some common modules in InterScan Web Security Virtual Appliance (IWSVA) 6.5 may stop unexpectedly and generate dump files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch updates the iCRC and SA common modules in IWSVA 6.5 to prevent these from stopping unexpectedly and generating dumb files. ------------------------------------------------------------------- Issue 2: IWSVA 6.5 removes the XFF HTTP headers from customized text-based logs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch ensures that IWSVA 6.5 does not delete XFF HTTP headers from customized text-based log files. ------------------------------------------------------------------- Issue 3: The "client_skip_content" key setting may trigger certain vulnerabilities in IWSVA 6.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This critical patch enables IWSVA 6.5 to clean the "client_skip_content" key setting to prevent the vulnerabilities. ------------------------------------------------------------------- Issue 4: (TT-324504) Administrators encounter a S98upgrade script error when IWSVA starts up after being upgraded from version 6.5 to version 6.5 Service Pack 1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This critical patch corrects the corresponding script to ensure that it runs smoothly. ------------------------------------------------------------------- Issue 5: (TT-323958) The last modified time information for a policy changes to the current time once users access the policy even when users did not make changes to the policy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This critical patch ensures that the last modified time information for policies change only when users make changes to the policy. ------------------------------------------------------------------- Issue 6: (TT-321787) The migration script stops responding when it encounters a time skew issue between the configuration replication (CCR) source and receiver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This critical patch resolves the issue. 1.1 Files Included in this Release =================================================================== A. Files for Current Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1313 svcmonitor 1313 isdelvd 1313 Files for Issue 1 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libICRCHdler.so 1313 libICRCHdler.so.1 1313 libtmsa.so 1313 libtmwk.so 1313 Files for Issue 2 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1313 libproductbase.so 1313 IWSSPIDlpFilter 1313 IWSSPIDpi.so 1313 IWSSPIJavascan.so 1313 IWSSPIScanVsapi.so 1313 IWSSPISigScan.so 1313 IWSSPIUrlFilter.so 1313 libhttpproxy.so 1313 libicap.so 1313 libuiauutil.so 1313 libReportLogging.so 1313 libProductLibrary.so 1313 libiwsshelper.so 1313 Files for Issue 3 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- intscan.ini 1313 Files for Issue 4 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- S98upgrade 1313 Files for Issue 5 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- IWSSGui.jar 1313 Files for Issue 6 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- IWSSGui.jar 1313 B. Files for Previous Solutions ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- IWSSPIUrlFilter.so 1303 libhttpproxy.so 1303 libHTTPSDecryption.so 1303 appd 1305 libdaemonbase.so 1305 dtasagent 1305 client.py 1305 config_network_interface.jsp 1305 IWSSPIDlpFilter.so 1305 IWSSPIDpi.so 1305 IWSSPIJavascan.so 1305 IWSSPINcie.so 1305 IWSSPIScanVsapi.so 1305 IWSSPISigScan.so 1305 libftp.so 1305 libicap.so 1305 svcmonitor_dump.sh 1305 libtmsa.so 1305 libtmwk.so 1305 libuiauutil.so 1305 webConsole.jsp 1305 libcavium.so 1305 LdapSyncTool 1305 libcommonldap.so 1305 rule_file_va6.0_to_va6.0.xml 1305 rule_file_va6.0sp1_to_va6.0sp1.xml 1305 rule_file_va6.5_to_va6.5.xml 1305 rule_file_va6.5sp1_to_va6.5sp1.xml 1305 libtmuseng.so.1.0.1012 1305 iwss_log_converter.py 1305 logging.properties 1309 i18n_warnmsg.js 1309 pac_files_edit.jsp 1309 pac_files.jsp 1309 iwsvafw.sh 1309 IWSSGui.jar 1309 2. Documentation Set ====================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Readme.txt - basic installation, known issues, release history and contact information o Electronic versions of the printed manuals are available at: http://www.trendmicro.com/download 3. System Requirements ====================================================================== There are no additional requirements for installing this critical patch. 4. Installation/Uninstallation ====================================================================== 4.1 Installation =================================================================== To install this critical patch: 1. Download the "iwsva_65_sp1_ar64_en_criticalpatch_b1313.tgz" critical patch file to your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the "iwsva_65_sp1_ar64_en_criticalpatch_b1313.tgz" critical patch file and click "Open". 6. Click "Upload". Your browser uploads the critical patch file to IWSVA which validates if the file is a legitimate critical patch. 7. Click "Install" to apply the critical patch and update IWSVA to build 1313. The HTTP and FTP services in IWSVA restart automatically. NOTE: Applying this critical patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 8. Clear the browser cache. 4.2 Uninstallation =================================================================== To uninstall the critical patch: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "cpb1313" and verify the critical patch ID and description in the confirmation page that appears. 4. Click "Uninstall" to remove Critical Patch 1313 and rollback IWSVA to the previous build. The HTTP and FTP services in IWSVA restart automatically. NOTE: Removing this critical patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5. Post-installation Configuration ====================================================================== No post-installation steps are required. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing this critical patch. 6. Known Issues ====================================================================== There are no known issues for this critical patch. 7. Release History ====================================================================== See the following web site for more information about updates to this product: http://www.trendmicro.com/download/product.asp?productid=86 7.1 Prior Hot Fixes =================================================================== Note: Only the new solutions were tested for this release. Prior hot fixes were tested at the time of their release. Hot Fix 1309 Issue 1: End users cannot download the PAC file from the IWSVA 6.5 web console because the web browser does not trust the certificate of the IWSVA 6.5 web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hot fix enables users to download the PAC file from the IWSVA 6.5 through HTTP. Issue 2: [Hot Fix 1309] (TT-322715) The "catalina.out" Tomcat log file in the IWSVA 6.5 web server may grow to a very large size. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hot fix enables IWSVA 6.5 to clean this Tomcat log file regularly to ensure that it stays within the normal size range. Critical Patch 1305 Issue 1: (TT-000231) When the appd process closes, it may use resources that have already been released which may trigger a core dump issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch prevents the appd process from using released resources while exiting to prevent the core dump issue. Issue 2: The iwssd process may trigger a core dump issue while accessing URLs that belong to one or more custom categories and use a multi-part format for downloads and uploads. This occurs because under this scenario, iwssd may release a memory block twice. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch prevents iwssd from releasing a memory block twice. Issue 3: When the log agent processes UserName information and a UserName uses double-byte characters, the log agent does not use Unicode to decode the UserName. This can trigger an error when the log agent attempts to check the UserName RBAC information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This critical patch enables the log agent to use Unicode to decode UserName information that contain DBCS characters. Issue 4: The iwssd process does not have a time out mechanism when it waits for scan results from the Script Analysis. This may trigger a core dump issue when there is a large number of files in the Script Analysis queue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This critical patch prevents the core dump issue under the scenario described above. Issue 5: By default, the IWSVA 6.5 Service Pack 1 web console uses HTTPS and a built-in certificate which users cannot replace. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This critical patch allows users to import their own certificates into IWSVA. Issue 6: IWSVA 6.5 Service Pack 1 uses OpenSSL 1.0.0j which is affected by several vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This critical patch updates the OpenSSL lib in IWSVA to the latest version. Issue 7: (TT-318441) By default, IWSVA 6.5 supports the "UserPrincipalName" value for authentication, however, the authentication may fail when users have configured multiple Active Directory (AD) servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This critical patch provides a way for users to prevent IWSVA 6.5 from converting the "UserPrincipalName" values to ensure that IWSVA 6.5 can perform authentication normally when multiple AD servers are configured. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 7: To disable "UserPrincipalName" conversion: a. Open the "LdapSetting.ini" file in the "/usr/iwss/commonldap/" folder." b. Add the "convert_prin=no" key in the "LDAP_Setting" section. [LDAP_Setting] convert_prin=no Note: To allow IWSVA 6.5 to convert "UserPrincipalName" values again, set "convert_print=yes". c. Save the changes and close the file. d. Run the following command: run cmd /etc/iscan/commonldap/LdapSyncTool.sh Issue 8: (TT-321097) By default, the scheduled configuration replication feature of IWSVA 6.5 Service Pack 1 replicates policies and configuration files, however, some users prefer to replicate policies only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This critical patch provides a way for users to configure the scheduled configuration replication feature to replicate policies only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 8: To configure the scheduled configuration replication feature to replicate policies only: a. Open the "intscan.ini" file in the "/etc/iscan" folder on the CCR source machine. b. Add the "schedule_ccr_type=4" key in the "CCR" section. [CCR] schedule_ccr_type=4 c. Save the changes and close the file. d. Run the following command: /etc/iscan/S99IScanHttpd restart Issue 9: (TT-318351) Sometimes, Kerberos authentication fails and prevents IWSVA 6.5 Service Pack 1 from syncing with LDAP servers. This occurs when multiple AD servers have been specified in the "User Identification" page of the IWSVA 6.5 Service Pack 1 console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This critical patch ensures that IWSVA 6.5 Service Pack 1 can successfully run Kerberos authentication and sync with LDAP servers when multiple AD servers are specified in the "User Identification" page. Issue 10: (TT-318663) After migrating the configuration in IWSVA 6.5 Service Pack 1, encounter a duplicate key error while attempting to add or edit the exception list of an existing policy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This critical patch updates the sequence of processes during migration to prevent the duplicate key error and to ensure that administrators can add or edit exception lists of existing policies successfully. Issue 11: (TT-314804) IWSVA 6.5 Service Pack 1 cannot block the Tor program even after users set it to block the application through the IWSVA web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This critical patch makes changes to the default settings of IWSVA 6.5 to enable the appd daemon to block programs properly. Issue 12: (TT-319892) When IWSVA 6.5 is configured to use an upstream proxy and its HTTPS decryption feature is enabled, users may not be able to access random HTTPS web sites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This critical patch ensures that users can access HTTPS web sites without issues when IWSVA is configured to use an upstream proxy and its HTTPS decryption feature is enabled. Issue 13: (TT-318221) The TMUSE engine stops unexpectedly when the Dynamic URL Categorization feature is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This critical patch resolves the issue by updating the TMUSE engine. Hot Fix 1303 Issue 1: [Hot Fix 1303] (TT-321197) A parsing error prevents users from accessing a certain web site from computers protected by IWSVA 6.5 Service Pack 1 in ICAP mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hot fix resolves the issue so that users can access the web site normally in affected computers. Issue 2: [Hot Fix 1303] (TT-321129) Builds of IWSVA 6.5 Service Pack 1 that are lower than the common build number of IWSVA 6.5 cannot register to Trend Micro Control Manager(TM) 6.0. This occurs because builds of IWSVA 6.5 Service Pack 1 are treated as builds of IWSVA 6.5 so IWSVA 6.5 Service Pack 1 build numbers that are lower than the common build number of IWSVA 6.5 are considered as out-dated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hot fix ensures that any build of IWSVA 6.5 Service Pack 1 can successfully register to Control Manager 6.0. Issue 3: [Hot Fix 1303] (TT-318535) When the user identification feature of IWSVA 6.5 Service Pack 1 is enabled, certain client applications cannot perform authentication and will not be able to run. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hot fix resolves the issue by enabling IWSVA 6.5 Service Pack 1 to skip authentication while processing HTTP requests when the user identification feature is enabled but the HTTP request does not have a "user-agent" header. Issue 4: [Hot Fix 1303] (TT-316742) The Server Name Identification feature does not work when IWSVA 6.5 Service Pack 1 is deployed with an upstream proxy server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hot fix ensures that the Server Name Identification feature works normally when IWSVA 6.5 Service Pack 1 is deployed with an upstream proxy server. 8. Contact Information ====================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro by fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2015, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Smart Protection Network, InterScan, and Control Manager are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide