Support-Portal
· Maintenance Release

Sophos Firewall v19 MR2 (Build 472)

Beschreibung

Bemerkungen

Features

Xstream SD-WAN-Verbesserungen
  • Unterstützung für die vierfache Anzahl an SD-WAN-Profilen für größer skalierende Umgebungen
  • Verbesserte Gateway-Verwaltung: Gateways können nun nach Status, IP, Interface und Health Check gefiltert werden
  • Suche nach SD-WAN-Profilnamen in Diagnose nun möglich
IPsec-VPN-Verbesserungen
  • Verbesserte Security Heartbeat-Auswahl in Fernverbindungs-IPsec-VPN
  • Unterstützung für das Deaktivieren der Anti-Replay-Protection für IPsec-VPN in speziellen Anwendungsbereichen
Weitere Verbesserungen

Email Protection: Verbesserte SPAM-Erkennungsrate mit SASI, erlaubt nun Bulk-Email-Handling-Konfigurationen im MTA-Modus.

SD-RED: Zeigt Unlock-Codes für gelöschte RED-Geräte an und sendet diese per Email, um die Wiederverwendbarkeit sicherzustellen.

Zero-Day-Protection: Intelix kann nun Proben anfordern, die das eingebaute 10-MB-Limit überschreiten.

Betroffene Produktgruppen

Bugfixes

  • NC-112368: Core Utils IPsec cacert is missing in .scx file.
  • NC-111476: FQDN Subdomain learning isn't working in case of non-SFOS DNS server set for client.
  • NC-111110: SDWAN Routing Import-export doesn't reflect changes in SD-WAN PBR profiles.
  • NC-111023: Email Legacy email mode is crashing very frequently.
  • NC-110927: Authentication Missing MFA enable and disable event logs.
  • NC-110026: XGS-BSP HA cluster fails even after hardware replacement.
  • NC-109626: HA Standalone device restarts. msync: too many open files.
  • NC-109562: WAF Unable to modify or update the WAF protection policy after selecting it for WAF rule.
  • NC-109245 : WAF Can't skip CRS rules in application attacks group with exceptions.
  • NC-108562: Core Utils Public key authentication for admin can't be managed through Sophos Central.
  • NC-108536 : Firewall Firewall rules stopped working after backup-restroe due to failure in XML API while creating firewall rule.
  • NC-108533: API Framework, UI Framework Need to hook frontend validations for multipart requests.
  • NC-108354: Wireless LocalWiFi mac80211 vulnerabilities.
  • NC-108318: Email Unable to click a few settings under Email > General settings after updating firmware to version 19.
  • NC-108237: Email Spam emails are let through with the error "spam scanning failed".
  • NC-108213: API Framework, UI Framework Post-auth code injection (CVE-2022-3696).
  • NC-108211: Interface Management Multiple post-auth read-only SQLi vulnerabilities in InterfaceHelper.java (objStr).
  • NC-108115 : Web Custom category name stored XSS in URL category lookup.
  • NC-108003 : NFP-Firewall Memory utilization increases until the firewall stops responding.
  • NC-107999: IPS Ruleset Management HA cluster configuration fails.
  • NC-107982: Authentication Exposing password in setup wizard.
  • NC-107975: Logging Framework Logging stopped on the device with an error showing that the database disk image is malformed.
  • NC-107945: Wireless APX 530 becomes inactive after HA failover.
  • NC-107943: Firewall XG 135 crashed and needed RCA to prevent the issue in future.
  • NC-107603: SDWAN Routing Stored XSS in SD-WAN performance graphs.
  • NC-107481: Authentication Log viewer isn't showing source IP field information for authenticated SSL VPN users.
  • NC-107453: WAF WAF rules not working.
  • NC-107327: WAF Upgrade ModSecurity and OWASP CRS to the latest version.
  • NC-107325: VFP-Firewall Firewall becomes inaccessible.
  • NC-107283: Email AwarrenSMTP service dead.
  • NC-107239: L2TP Unable to connect to L2TP after upgrade.
  • NC-107145: Hotspot For hotspot vouchers in the user portal, under Manage, the delete icon isn't intuitive.
  • NC-106907 : Hotspot WLAN voucher not showing correctly.
  • NC-106834: IPS-DAQ-NSE Connection untrusted when browsing some sites.
  • NC-106811: Email Unable to start anti-spam service.
  • NC-106783: Email Unable to send or receive emails with certificate error for pop.ocn.ne.jp domain.
  • NC-106738: Hotspot Sort functionality doesn't work properly in the user portal for hotspot vouchers.
  • NC-106608: IPsec Duplicate SAs being created.
  • NC-106424: API Framework, UI Framework Pre-auth code injection (CVE-2022-3236).
  • NC-104844: Web Zero-day protection report shows license warning incorrectly.
  • NC-103733: IPsec BGP service keeps restarting, affecting the Amazon VPC connection.
  • NC-103406: Certificates Migration fails from SFOS 18.5 MR4 build 418 to 19.0 MR1 build 365.
  • NC-103037: XGS BSP Failsafe issue due to NPU failure.
  • NC-102919: Static Routing Static routes lost at the backend after enabling QuickHA.
  • NC-102771: Authentication XFOS Migration Users unable to authenticate through CAA.
  • NC-102737: SSLVPN SSL VPN not working as sslvpn service is stuck in busy status. Site-to-site and remote access are affected.
  • NC-102614: Firewall Bridge: Traffic not working with Fastpath for bridge with logical members after migrating to version 19. Traffic shouldn't get offloaded to Fastpath.
  • NC-102558 : IPsec The issue in NC-84750 still occurring on one site after installing the patch.
  • NC-102436: Firewall Appliance access lost on backup-restore. Local ACL rules stopped working on backup-restore.
  • NC-102308: Firewall Disabled load balancing NAT rules still sending out alerts for disabled NAT rule.
  • NC-102257: Firewall Post-auth read-only SQLi through APIController (CVE-2022-3710).
  • NC-101720: XGS-BSP Random SFP+ port flap.
  • NC-101713: Logging Framework PG trigger entry should be present for login events even when on-box reporting is off.
  • NC-101703: CDB-CFR CM Unable to open the web admin console from Sophos Central after turning on "Send reports and logs to Sophos Central" and "Send configuration backups to Sophos Central" on the firewall.
  • NC-101326: SSLVPN OS command injection through SSL VPN configuration upload (CVE-2022-3226).
  • NC-101300: Email Unable to send emails after upgrading to 18.5.4 due to failed malware scan.
  • NC-101271: Dynamic Routing (BGP) BGP networks in SFOS web admin console show ASCII characters instead of expected networks for config-type cisco.
  • NC-101046: IPS-DAQ Website doesn't work due to OCSP must-staple in Firefox browser.
  • NC-101021: Date/Time Zone Time zone change allowed in Sophos Central on all HA devices.
  • NC-100725: XGS-BSP NPU in failsafe mode after upgrading from 19.0 GA to 19.0 MR1.
  • NC-100716: FQDN IPset sporadically not created for wildcard FQDN host.
  • NC-100707: IPsec Wrong source IP address in IPsec routes.
  • NC-100699: IPsec SMB transfer stops and doesn't recover with IPsec acceleration and policy-based VPN.
  • NC-100623: Hotspot Hotspot voucher creation failed.
  • NC-100418: nSXLd Internet down with error "nSXLd: Connection timeout while connecting to SXL server".
  • NC-100334: WAF Virtual host not removed if firewall rule is turned off.
  • NC-100325: WAF Update API JSON fields for encrypted WAF secrets.
  • NC-100265: Web Expired certificates in certcache are used rather than generating new ones.
  • NC-100250: Gateway Management RCA: Unable to change DGD settings for a specific WAN port.
  • NC-100084: Firewall DNAT issue when multiple hosts are added.
  • NC-99965: Interface Management SQL injections found in application.
  • NC-99962: Wireless Adjacent code injection in Wi-Fi controller (CVE-2022-3713).
  • NC-99801: Interface Management Unable to delete a LAG interface.
  • NC-99604: Email SQLi in getSmtpQuarantineMailRecord.
  • NC-99421: Email Mail issues on XG 430 (split from CPU 100%).
  • NC-99247: SSLVPN Unable to download SSL VPN site-to-site server configuration.
  • NC-99232: Web Changes to web proxy settings can't be saved when signed in with German language.
  • NC-99152: Logging Framework Central reporting: Failed to initiate the mmap case when queue limit is reached with no Sophos Central connectivity.
  • NC-98712: Core Utils XGS DT-2 r1: Containment plan to handle production issue causing 10+ sec factory reset feature doesn't work on these units.
  • NC-98576: IPS Ruleset Management IPS pattern doesn't update.
  • NC-98574: SSLVPN Traffic isn't passing through site-to-site SSL VPN tunnel, although the tunnel is up.
  • NC-98573: Firewall Country group stored XSS in DNAT rule in version 19 GA.
  • NC-98300: Email High CPU utilization due to Exim.
  • NC-98296: Email Attachments getting corrupted while using SPX.
  • NC-98094: nSXLd Unable to categorize URLs and IP addresses using external URL database.
  • NC-98089: Firewall Unable to restore backup from SG 230 18.5 MR3 to XGS 2300 19.0 GA.
  • NC-97883: Firewall Unable to upgrade firmware or perform backup-restore from 17.5.15 to 19.0 GA: Duplicate key value violates unique constraint "tblfirewallrule_unique_name".
  • NC-97753: IPS Engine IPS Policy Unable to Upgrade to version 19 from 18.0.4. Duplicate config disable_decode_alerts in tblconfiguration table.
  • NC-97743: AppFilter Policy Unable to export application filter policy.
  • NC-97711: NFP-Firewall nfnetmap_queue backing up, appliance may fail.
  • NC-95926: CDB-CFR Reporting Reports aren't being generated.
  • NC-95861: Firewall Country blocking through firewall rule isn't working.
  • NC-95633: IPsec Unable to connect IPsec remote access due to invalid .scx file.
  • NC-95603: Email Legacy email mode is crashing every 2 minutes.
  • NC-95543: Email Mail logs page stuck in loading status.
  • NC-95353: Static Routing Static route to RED disappears in XGS (HA) after a restart.
  • NC-95351: HA HA failover isn't working due to auto-restart of auxiliary device.
  • NC-95239: IPsec Different gateway entry in the IPsec configurations when using DDNS.
  • NC-95197: RED Appliance auto-restarts frequently in a day or two.
  • NC-94734: IPsec PPPoE isn't connecting after random disconnect event if XFRM interface is created on PPPoE.
  • NC-94664: Hotspot Post-auth read-only SQLi in user portal (CVE-2022-3711).
  • NC-94661: SSLVPN Android and iOS users can't import SSL VPN ovpn file.
  • NC-94418: Logging Framework (Central Reporting) Reporting and logging to Sophos Central stops randomly.
  • NC-94362: Email SPX stops working after unspecified period.
  • NC-94128: NFP-Firewall Firewall stopped responding on specific port.
  • NC-93847: WAF Stored XSS in WAF exception through IP host.
  • NC-92598: Authentication Stored XSS in import group wizard (CVE-2022-3709).
  • NC-92282: HA System services page gets stuck in loading.
  • NC-90794: Authentication Unable to import groups containing an apostrophe in their name.
  • NC-90247: IPsec IPsec VPN failback isn't working.
  • NC-90151: Authentication Unable to authenticate with PUSH with Azure MFA.
  • NC-88628: RED RED UDP packets are forwarded to the auxiliary device after HA switchover.
  • NC-86937: VFP-Firewall Memory utilization increasing gradually.
  • NC-85961: Authentication Guest user is created on secondary appliance but not on primary appliance sometimes.
  • NC-85114: Firmware Management 'kworker' process continuously takes high CPU on XG 450.
  • NC-84924: Core Utils Memory utilization increases to 90 percent or above in XGS 3100 due to appcached service.
  • NC-84910: Authentication Authentication with STAS stopped working when the appliance restarted until the access_server restarted if AD is reachable through a static route.
  • NC-84750: IPsec Auxiliary node sporadically receives IPsec packets.
  • NC-81219: CM HA zero downtime upgrade isn't supported if the firmware upgrade is scheduled on Sophos Central.
  • NC-79378: Web Uploading user-defined logo in user notification settings gives error.
  • NC-77804: Firewall Netlink: 153776 bytes leftover after parsing attributes in process `ipsetelite'.
  • NC-75655: Email Arbitrary file write creates a DoS and possibly RCE vector.
  • NC-75654: Email Logical error in a global SQL escape function might enable injections.
  • NC-74241: CaptivePortal Stored XSS through captive portal customization (CVE-2022-4238).
  • NC-74120: Spoofing Traffic through bridge will be blocked as IP_Spoof if spoof protection is enabled for the involved zone.