Security Information in 21.5.x
This section provides important security information for this release. For additional information about security issues, security advisories, and other security guidance pertaining to this release, see Illumio’s Knowledge Base in Illumio's Support portal.
Core VEN Installs Weak File Permissions on Debian On Debian, the VEN installation script incorrectly set the owner of
/etc/illumio_vento UID 1000. This is resolved by setting the owner UID to 0 (root).Firewall Rules Didn't Properly Require IPsec In certain cases, plaintext connections would not be blocked despite being configured to require IPsec using SecureConnect. This issue is resolved.
Postgres Password Included in Command Line In certain scenarios, such as a PCE upgrade, the Postgres password was passed as an argument on the command-line, and could be viewed during a brief window of time by other users logged-in locally to the host. This issue is resolved.
Security Headers for nginx Additional security headers were enabled for the nginx endpoint. Under normal circumstances, nginx is inaccessible outside the PCE cluster.
Local PCE User with No Role Could Access system_events A local user with all roles removed could still obtain events from
system_events. This issue is resolved.Resque gem Updated to Address CVE-2015-9251 The
resquegem was updated from 2.0.0. to 2.1.0 to address CVE-2015-9251, which impacts jquery, a dependency forresque.