<<<>>> Trend Micro Incorporated December 8, 2016 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) Web Security Virtual Appliance 6.5 Service Pack 2 Critical Patch - Build 1731 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: Trend Micro developed this Critical Patch as a workaround or solution to a problem reported by customers. As such, this Critical Patch has received limited testing and has not been certified as an official product update. Consequently, THIS CRITICAL PATCH IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS Critical Patch NOR DOES TREND MICRO WARRANT THIS CRITICAL PATCH AS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents ========================================================== 1. Critical Patch Release Information 1.1 Resolved Known Issues 1.2 Enhancements 1.3 Files Included in this Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 7.1 Prior Critical Patches 8. Contact Information 9. About Trend Micro 10. License Agreement ========================================================== 1. Critical Patch Release Information ====================================================================== This Critical Patch resolves several issues in InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2. Refer to "Resolved Known Issues" for more information. 1.1 Resolved Known Issues =================================================================== This Critical Patch resolves the following issue: Issue 1: [Hotfix 1731] (TT-351773) End users cannot see the shared remote desktop using Skype in Web Cache Communication Protocol (WCCP) mode. This issue occurs because the OpenSSL module sends an alert message when it comes across Skype HTTPS traffic. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix handles this issue to channel Skype HTTPS traffic. Issue 2: [Hotfix 1731] (TT-355725) Non-administrator users are able to go beyond their access permissions and apply administrator operations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix validates the user's permissions before applying administrator operations in the web service process. 1.2 Enhancements =================================================================== There are no enhancements in this Critical Patch. 1.3 Files Included in this Release =================================================================== A. Files for Current Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1731 svcmonitor 1731 isdelvd 1731 Files for Issue 1 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1731 libhttpproxy.so 1731 Files for Issue 2 ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- IWSSGui.jar 1731 B. Files for Previous Solutions ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1709 ftp_config_action.jsp 1709 ftp_config_dlp.jsp 1709 ftp_config_exception.jsp 1709 ftp_config_spyware.jsp 1709 libProductLibrary.so 1709 IWSSPIDpi.so 1709 appd 1709 AutoSetupAlchemySettings 1709 northamerica 1709 config_backup_popup.jsp 1709 client.py 1709 urlblocking.jsp 1712 server.xml 1712 IWSSPIUrlFilter.so 1715 dtasagent 1721 IWSSGui.jar 1721 urlf_policy_list.jsp 1721 custom_defense.jsp 1721 support.jsp 1721 support_capture_packet.jsp 1721 support_diagnostic_tool.jsp 1721 support_verbose_log.jsp 1721 upload_sample_sizing.jsp 1721 risk_level.jsp 1721 IWSSPIScanVsapi.so 1721 query_blacklist.py 1721 query_ddi_blacklist.py 1721 S99ISdtasd 1721 test_connection.py 1721 get_sandbox_feedback_blacklists.xml 1721 libicap.so 1726 IWSSGui.jar 1728 libhttpproxy.so 1729 LDAPTest 1730 2. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com 3. System Requirements ====================================================================== Trend Micro recommends installing IWSVA 6.5 Service Pack 2 Patch 1 Build 1707 before installing this Critical Patch. 4. Installation ====================================================================== This section explains key steps for installing the Critical Patch. 4.1 Installing =================================================================== To install: 1. Download the "iwsva_65_sp2_ar64_en_cpb1731.tgz" Critical Patch file to your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the "iwsva_65_sp2_ar64_en_cpb1731.tgz" Critical Patch file and click "Open". 6. Click "Upload". Your browser uploads the Critical Patch file to IWSVA which validates if the file is a legitimate Critical Patch. 7. Click "Install" to apply the Critical Patch and update IWSVA to build 1731. The HTTP and FTP services in IWSVA restart automatically. NOTE: Applying this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 8. Clear the browser cache. 4.2 Uninstalling =================================================================== To roll back to the previous build: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "cpb1731" and verify the Critical Patch ID and description in the confirmation page that appears. 4. Click "Uninstall" to remove Critical Patch 1731 and rollback IWSVA to the previous build. The HTTP and FTP services in IWSVA restart automatically. NOTE: Removing this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5. Post-installation Configuration ====================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ====================================================================== There are no known issues for this Critical Patch release. 7. Release History ====================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 7.1 Prior Critical Patches =================================================================== NOTE: Only this Critical Patch was tested for this release. Prior Critical Patches were tested at the time of their release. Hotfix 1710 Issue: [Hotfix 1710] (TT-349268) When HTTPS decryption is enabled, IWSVA cannot load an HTTPS webpage if the HTTP header does not contain a "Content-length" or "Transfer-Encoding" heading. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that users can access HTTPS websites successfully while HTTPS decryption is enabled. Hotfix 1712 Issue: [Hotfix 1712] (TT-348926) Microsoft(TM) Internet Explorer(TM) stops responding when users import the list of blocked URLs to IWSVA and the list has more than 7000 entries. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix updates the parsing algorithm to improve the parsing speed to enable Internet Explorer to handle large blocked URL lists. Hotfix 1714 Issue: [Hotfix 1714] (TT-351297) When a client uploads files to a server through an application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Hotfix 1715 Issue: [Hotfix 1715] (TT-351297) IWSVA stops unexpectedly when it calls the strncpy function and the length of the char pointer is "0". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by enabling IWSVA to check the length of the char pointer before calling the strncpy function. Hotfix 1716 Issue: [Hotfix 1716] (TT-352892) IWSVA cannot save changes to the priority setting of a URL filtering policy if the current policy priority is lower than 2498. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that IWSVA can save changes to the priority setting of a URL filtering policy. Hotfix 1717 Issue: [Hotfix 1717] (TT-352982) The URL filtering feature of IWSVA 6.5 Service Pack 2 may block the wrong domains. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that IWSVA can correctly match URLs with the filtering policy so that it blocks the correct domains. Hotfix 1721 Enhancement: This hotfix integrates the Trend Micro Deep Discovery Inspector and Trend Micro Control Manager(TM) SO acquirement interface into the IWSVA web console. This enables IWSVA to retrieve the SO list from both products, to block SO's on the list including IPs, URLs, domains, and files, and perform Advanced Threat Protection scanning. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the feature: a. Open the "intscan.ini" file in the "/etc/iscan" folder. b. Locate or add the "so_integration_enabled" key and set its value to "1". Note: To disable the feature, set "so_integration_enabled=0". c. Save the changes and close the file. d. Refresh the "HTTP > Advanced Threat Protection > Custom Defense > Custom Defense Settings" page. Hotfix 1726 Issue 1: [Hotfix 1726] (TT-350383) After updating to IWSVA Service Pack 2 Build 1707, users may not be able to browse HTTPS websites properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix resolves the issue by ensuring that IWSVA can correctly handle the TCP FIN, so that when this is killed in the webserver, the corresponding HTTP header will keep it alive. Issue 2: [Hotfix 1726] (TT-351297) When a client uploads files to a server through an application server and IWSVA scans the files through ICAP, IWSVA does not allow the acknowledgment traffic (0-byte file) to pass and sends an error code 100 instead. This happens because IWSVA checks the "Encapsulated:" ICAP header only which does not have a "null-body". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix enables IWSVA to check both the "Encapsulated:" ICAP header and the "Content-length" HTTP header so that if the "Content-length" is "0", it will also treat it as a "null-body". This ensures that IWSVA allows the acknowledgment traffic (0-byte file) to pass. Issue 3: [Hotfix 1726] (TT-352011) Websites do not load properly when HTTPS decryption is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This hotfix resolves the issue by enabling IWSVA to properly handle zero length data from a webserver, such as in the website "https://www.it.nrw.de". Issue 4: [Hotfix 1726] (TT-352635) the isftpd process triggers a 100% CPU usage issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This hotfix adds the isftpd process to the approved list in IWSVA to prevent the high CPU usage issue. Hotfix 1728 Issue: [Hotfix 1728] (TT-352510) An issue may prevent source IWSVA devices from sending chunked data to registered child IWSVA devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by allowing the source IWSVA device to choose between chunked mode or content- length mode response to child IWSVA devices. Hotfix 1729 Issue: [Hotfix 1729] (TT-355847) Dropbox cannot sync in bridge mode after users add "dropbox.com" to the global trusted list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix resolves the issue by enabling IWSVA to run through the list of global trusted domains before it attempts to connect to websites. Hotfix 1730 Issue 1: [Hotfix 1730] (TT-357017) The LDAP server diagnostic tool returns a "failed" result even when the LDAP server has connected normally. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix ensures that the diagnostic tool returns the correct LDAP server connection results. Issue 2: [Hotfix 1730] (TT-355574) HTTPS request authentication may fail when IWSVA is deployed in bridge mode between a client and the upstream proxy and the upstream proxy uses Kerberos authentication. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix ensures that HTTPS request authentication can run successfully under the scenario described above. 8. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, InterScan, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide