1.5.8. Release 1.2.2-8

Release date: 02.09.2022

The new changes in this release are the following:

1.5.8.1. ON Core

  • The PHP 7.4 package has been activated in order to have the PHP in the different openNAC components in that same version.

  • Switch H3C 5300/5320 has been homologized, with the following parameters:

    • General info

      • Brand: H3C

      • Model: 5300/5320

      • Current firmware used: version 7.1.070, Release 6126P10

    • Dot1x Authentication

      • Supplicant Auth: OK

      • Supplicant User: OK

      • Supplicant Host: OK

      • Supplicant Cert: OK

      • MAB Auth: OK

    • Dot1x Authorization

      • Default VLAN: OK

      • Critical VLAN: OK

      • Reject VLAN: OK

      • Dynamic VLAN: OK

      • Voice VLAN: OK

    • ACLs

      • Static: OK

      • Dynamic: OK

    • TogglePort
      • CoA:

        MAB: OK Dot1x: OK

      • SNMP: KO

    • SNMP Traps

      • MAC change: KO

    • Flow support

      • Flow support:KO

    • NetConf & NetBackup

      • NetConf: OK

      • NetBackup: OK

  • Configuration and monitoring of php-fpm has been optimized. The following functionalities have been added:

    • Creation of new healthchecks for https pools (www and poleval).

    • Verification of external web server configuration, fpm groups, etc.

    • Check that according to the httpd configuration, static elements, such as favicons, are delivered directly without going through the API.

  • New UI theme property in the agent configuration. In ON Agent -> Agent Configuration a new field has been added to be able to select the preferred graphical interface theme. We have to choose between the OpenNAC and EMMA options.

  • Brands view and Models view have been removed from ON CMDB.

  • In ON Agent -> Agent Configuration the RSS feed URL field has been deleted.

  • The authenticated agent token is replaced when the hardware ID already exists. When the user authenticates to the agent with a different user ID but the same hardware ID, the user ID is replaced and the token is regenerated. Previously the user ID was reused, which can be incorrect if the user formats the computer and gives it to another user.

  • Cross Site Scripting Vulnerability fix. The affected URL and other similar dynamic pages or scripts that could be transmitting unreliable malicious data from user input have been audited. In general, the following practices have been used when developing dynamic web content:

    • Explicitly set the character set encoding for each page generated by the web server

    • Identify special characters

    • Encode dynamic output elements

    • Filter specific characters in dynamic elements

    • Browse cookies

    • For more information on prior practices, please read the following CERT advisory: CERT Advisory CA-2000-02 (http://www.cert.org/tech_tips/malicious_code_mitigation.html)

    • For ASP.NET applications, the validateRequest attribute can be added to the page or web.config. For example:

    Note

    <%@ Page … validateRequest=”true” %> OR &lt;system.web&gt; &lt;pages validateRequest=”true” /&gt; &lt;/system.web&gt;

    Also, all dynamic content must be HTML-encoded using HTTPUtility.HTMLEncode.

    • For PHP applications, the input data must be validated using functions such as strip_tags and utf8_decode. Dynamic content must be HTML-encoded using htmlentities.

    • For Perl applications, input data should be validated whenever possible using regular expressions. Dynamic content must be HTML-encoded using HTML::Entities::encode or Apache::Util::html_encode (when using mod_perl).

    • Redirect user to /login if going to /change-password without username