Illumio Core What's New and Release Notes 21.5

Support Bundle download returned 502 error (E-91480)

This issue is resolved.

PCE response header names were lower case (E-90166, E-89767)

HTTP response header names from the PCE could sometimes be sent in lower case. This could affect scripts that were written for earlier PCE versions, which expected mixed-case headers. For example, Content-Length in the response header of a previous PCE version might be content-length in a later version. This issue is resolved. The PCE will continue to provide mixed-case header names for the moment. However, any tooling that parses the HTTP headers should be changed to allow case-insensitive header name matching in order to retain compatibility with future PCE releases. Refer to RFC 7230, section 3.2, Header Fields, which states that field names should be case insensitive.

haproxy maxconn was not large enough (E-89638)

haproxy maxconn was not large enough to handle a spike of policy requests. This issue is resolved and it now accommodates a queue of 15,000 requests.

Unvalidated redirect through the Referrer header (E-89344)

There was an unvalidated redirect through a Referrer header in /login/users/password/update which resulted in cross-domain Referrer leakage. This issue is resolved. The referrer header and other user inputs are now validated by the server that only allows headers coming from a PCE cluster. The Referrer header is a request header that indicates the site which the traffic originated from.

".public" workload interfaces wasn't ignorable (E-89290)

Previously, the PCE allowed users to ignore PCE-generated .public interfaces on Workloads, which could cause unwanted behavior on the VENs. This issue is resolved. All PCE-generated interfaces are filtered from the ignored interface list before it is sent to the VEN.

Exposure charts in Executive Summary report did not show data (E-89032)

In the Executive Summary report, the sections Vulnerability Exposure (All App Groups) and Vulnerability (All App Groups) showed the message NO DATA AVAILABLE, even when data existed. The cause was an inter-service permissions issue. This issue is resolved. The services can now upload the data, so that it appears correctly in the Executive Summary report.

Expired service-account API keys accessing non-agent endpoint (E-88696)

The expired service-account API keys were able to access a few endpoints. This issue is resolved. The API queries using an expired key will respond with the expected unauthorized error.

Database migration failed during upgrade (E-88273)

When upgrading Illumio Core on a Supercluster, an error message like the following appeared during the database migration step: " 'id' column is missing. A multi-master table requires an INSERT statement to provide 'id' column explicitly." Data generated during the migration required an explicitly specified database primary key to verify Supercluster region ownership. The migration involving the clone_detected state triggered this restriction. This issue is resolved. The migration involving the clone_detected state no longer triggers this restriction.

Harmless time-drift threshold warning on the Health page for the PCE (E-87425)

If the local node clock was out-of-sync with the NTP time server beyond a threshold, then the health page displayed an appropriate warning on the PCE. The threshold value was too low and caused false alarms. The system has been reconfigured to increase the threshold to 384 ms to minimize the occurrences of these warning messages.