WALLIX Bastion 12.1.1 – Release Notes

Reference:	https://doc.wallix.com/en/bastion/12.1/rn-en-12.1.1.html
Date:	2025-06-05
Copyright:	© 2025 WALLIX

Contents

1 New functionalities and improvements
2 Bug fixes
3 Known issues
4 Known limitations

1 New functionalities and improvements

This version includes all the improvements and new features implemented from WALLIX Bastion 10.0 and listed in the sections below.

1.1 New functionalities and improvements in WALLIX Bastion 12.1.1

1.1.1 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-12907: Kerberos method of Windows password change plugins can do password reconciliation.

1.2 New functionalities and improvements in WALLIX Bastion 12.1

1.2.1 New features

1.2.1.1 WAB-3123: API Key Associated With A Profile - Bastion

API keys can be linked to a non-editable profile, restricting the rights of users logging in with an API key. New default non-editable profiles have been introduced to simplify API key configuration with Access Manager (compatibility starting from version 5.2).

1.2.1.2 WAB-5327: Support of OpenID Connect (OIDC) - Bastion

Bastion supports OpenID Connect, enabling seamless authentication with identity providers supporting the standard. This integration enhances security and simplifies user access management. Administrators benefit from streamlined identity federation and improved access control. With Single Sign-On (SSO), users can access Bastion without repeatedly entering credentials.

1.2.1.3 WAB-11037: RDP Session Resolution Set by Bastion Admin

The RDP session resolution can be enforced by the administrator through the RDP connection policy. This new option facilitates connections to servers and systems that support only a specific resolution, preventing display issues or session crashes.

1.2.1.4 WAB-11325: Network Discovery - Latency Measure

In network and AD discovery, latency is now measured for each discovered devices and available in the scan job results.

1.2.2 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-8906: Add a mechanism for checking replication status before launching an update.
WAB-9057: Update Ant Design library to version 5.15.4.
WAB-9342: Remove the domain name field in the DNS section of the System - Network web page and in the WABNetworkConfiguration CLI tool.
WAB-9739: Improve the behavior of the icons in the navigation bar. The menu icons in the navigation bar are no longer hoverable. They are now clickable to display the associated options.
WAB-9762: Add FortiSandbox compatibility for DLP/AV file verification in RDP and SSH sessions.
WAB-10390: Improve Bastion web documentation by adding more guides.
WAB-10816: Add 3 new default profiles that can be used in API keys created for Access Manager.
WAB-10842: Update the Windows password change plugin from v1.0.1 to v2.1.0.
WAB-10847: Add a link to a read-only profile in the API key.
WAB-10960: Remove verbose and useless log lines in bastion-traceman: [file in /var/wab/hash] not in local storage, skipped.
WAB-11050: Add support for specifying which DNS server to use by domain name.
WAB-11151: Improve the debug archive ZIP file available on the System > Status page by offering log download choices.
WAB-11218: Add new API resource /api/apikeys-v2 to set the profile in the API key.
WAB-11330: Add REST API option deprecated_resources to control the use of deprecated resources.
WAB-11331: Deprecate the REST API resource /api/apikeys in favor of the new resource /api/apikeys-v2.
WAB-11392: Add a description field in the API key.
WAB-11425: Fix a SBOM mismatch related to a vendorised and no longer used JQuery component shipped on the Bastion.
WAB-11427: Implement a limited disk space management strategy.
WAB-11458: Add mandatory server certificate validation in the TLS configuration of the SIEM, using a trusted Certificate Authority (CA) or by specifying the self-signed certificate or the CA chain.
WAB-11506: Remove "RDP-JUMPHOST" type connections policies which are no longer used.
WAB-11569: Improve the robustness of HA Database Replication when one node goes down and then back up.
WAB-11618: Add list of groups and profile names in API resource "/api/preferences".
WAB-11681: Add verification and storage of certificates for VNC sessions using the authentication methods X509None, X509Plain, and X509VNC. The configuration is in the VNC connection policy, and the certificates are visible in the GUI via the Devices menu.
WAB-11959: Improve the WALLIX Bastion upgrade workflow by ensuring that the database of all nodes are re-synchronized when HA Database Replication is enabled.
WAB-12236: Add support for checking the SMTP server certificate identity when sending e-mail notifications.
WAB-12292: Increase default password length from 8 to 16 characters in the default password change policy.
WAB-12380: Add the MAC address to the interface selection dialog in the first boot setup wizard and the WABNetworkConfiguration command.
WAB-12410: Add a 4GB quota on the /home partition.
WAB-12706: Add celery.log file in basic log files on System / Status page.
WAB-12890: Update download procedure for WALLIX PuTTY in User Guide.
WAB-13126: Remove deprecated Global Configuration options: allow_gssapi and credential_change_notification_timeout.

1.3 New functionalities and improvements in WALLIX Bastion 12.0.2

1.3.1 New features

1.3.1.1 New procedure for major upgrade

Bastion 12 introduces a new system upgrade procedure. As a result, if you have a WALLIX Bastion prior to version 12 and wish to upgrade to Bastion 12, refer to chapter 6 of the Deployment Guide.

1.3.1.2 New procedure for minor upgrade

Bastion 12 introduces a new minor upgrade process to enhance efficiency and user experience. The new process relies on the wabupgrade account making it easier to upgrade from version 12 to version 12.X. Refer to the Deployment Guide, chapter 7 for detailed instructions.

1.4 New functionalities and improvements in WALLIX Bastion 12.0.1

1.4.1 New features

1.4.1.1 New default behavior for the “Enable Kerberos” option

Bastion 12.0.1 introduces a new default behavior for the “Enable Kerberos” option, enabling it by default which means that NLA Kerberos is now the first attempted authentication method. However, when restoring the backup of a Bastion anterior to 12.0.1, the configuration of authentication mechanisms is not modified. That means that values set for NLA and Kerberos are restored as defined in that backup file. For example, if Enable Kerberos option was disabled, this option remains disabled after the restoration, even if the option is now enabled by default.

Bastion 12.0.1 also introduces new options for RDP target connections. To ensure that the target cannot negotiate an authentication protocol lower than that specified by the connection policy, fallback mechanisms are disabled by default. However, for greater granularity, you can modify fallback mechanisms for connections to RDP targets. The options are:

Allow NLA NTLM fallback
Allow TLS only fallback
Allow RDP legacy fallback

We strongly encourage you to review your connection policies and make any necessary updates to the fallback mechanism to better suit your needs.

WALLIX follows the Microsoft recommendation to use the domain account for RDP sessions. As a result, WALLIX recommends to use NLA Kerberos authentication when using target account in Active Directory. That means the “Allow NLA NTLM fallback”, “Allow TLS only fallback”, and “Allow RDP legacy fallback” options must be disabled.

When using a local account on a target, Microsoft and WALLIX recommend:

to use NLA NTLM if NTLM support is enabled and NLA enabled. In this situation, the “Allow NLA NTLM fallback” option must be enabled, but the “Allow TLS only fallback” and “Allow RDP legacy fallback” options must be disabled.
to use TLS only if NTLM support is disabled and NLA disabled. In this situation, the “Allow TLS only fallback” option must be enabled, but the “Allow NLA NTLM fallback” and the “Allow RDP legacy fallback” options must be disabled.

For earlier targets (windows 2003 and older), you must enable the “Allow RDP legacy fallback” option.

1.4.2 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-8289: Improve product documentation by re-architecturing existing content into six new guides with better-defined target audiences.
WAB-8313: Add bastion-get-auth-statistics script to the Bastion to compute authentication satistics.
WAB-8687: Remove the User > Groups page in the legacy interface, following its refactoring.
WAB-9383: Improve user experience during backup create and restore operations by displaying warning messages and disabling unavailable options.
WAB-9425: Improve user experience when configuring password change policies by clarifying form input and validation.
WAB-9721: Add STATUS_NO_CHANGE_NEEDED return status for password change plugins.
WAB-9812: Add support of SAML forceAuthn parameter to require users reauthentication to their IdP even with an active session.
WAB-9896: Add backup and restore of the ticketing interface script in the Bastion backup.
WAB-9897: Add Password change plugins in backup/restore. In some cases, some plugins are restored aside, for more information, refer to the administration guide to see how and where to restore them.
WAB-10260: Add the number of e-mails sent in the API response to approvers notification (from user and approver).
WAB-10624: Improve default values in some security algorithms parameters in RDP and SSH connection policies.
WAB-10842: Update the Windows password change plugin from v1.0.1 to v2.0.1.

1.5 New functionalities and improvements in WALLIX Bastion 12.0

1.5.1 New features

1.5.1.1 Platform upgraded to Debian 12

WALLIX Bastion is now running on Debian 12. This evolution offers a more modern software ecosystem with functional enhancements and security improvements.

1.5.1.2 Support of whole disk encryption

WALLIX Bastion now features a whole disk encryption support. This mechanism is automatically set up during the installation phase. To customize several security parameters of the encryption, refer to section 6.3 of the Operation Guide.

1.5.2 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-2236: Removal of legacy license key support
WAB-6013: Addition of the configuration of the default key derivation function used in the Bastion, including Argon2ID (now used by default)
WAB-7163: Implementation of a new security level 'certified' for HTTP admin server in WABNetworkConfiguration
WAB-7165: Implementation of a new security level 'certified' for RDP proxy in WABNetworkConfiguration
WAB-7269: Removal of the My Authorizations > Secrets page in the legacy interface, following its refactoring
WAB-7270: Removal of the My Authorizations > Sessions page in the legacy interface, following its refactoring
WAB-7350: Migration of Antd to the version 5.9.0
WAB-7917: Modification of the security level which is now set to “high” by default for all services, except SSH where only the cryptography is set equivalent to high but the password authentication scheme is still allowed. It is recommended to set it to “high” also as soon as you have authorized your SSH authentication keys
WAB-7938: Modification of the “High” security level which is now based on recommended algorithms from “SOG-IS Crypto Evaluation Scheme – Agreed Cryptographic Mechanisms v1.3”. Old “high” level is now named “oss”
WAB-8255: Implementation of the SSH strict kex extension in SSH proxy to fix the following security issue: CVE-2023-48795
WAB-8262: Implementation of the SSH strict kex extension in WALLIX-PuTTY to fix the following security issue: CVE-2023-48795
WAB-8263: Update libssh-gcrypt-4 and libssh2-1 to fix the following security issue: CVE-2023-48795
WAB-8274: Reduction of the SSH cipher list to aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, and aes128-ctr and MAC algorithms to hmac-sha2-512 and hmac-sha2-256 on port 22 for the primary connection to fix the following security issue: CVE-2023-48795
WAB-8310: Removal of the Configuration > API Key page in the legacy interface
WAB-8536: Removal of the old unused HA scripts
WAB-8683: Removal of the weekly reports feature for the "Administration" and "Audit" dashboards
WAB-8687: Removal of the User > Groups page in the legacy interface, following its refactoring
WAB-9060: Removal of REST API version 3.11
WAB-9380: Modification of the partition scheme and filesystem to improve upgrade process robustness
WAB-9427: Removal of the User groups page in the legacy interface
WAB-9610: Addition of a LUKS-based disk encryption

1.6 New functionalities and improvements in WALLIX Bastion 11.0

1.6.1 New features

1.6.1.1 Refactoring of Sessions in My Authorizations (REST API & GUI) (WAB-979)

My Authorizations pages have been reworked. Users are now able to resize, reorder, display or hide columns according to their news. New columns are available and column filter is now available for most of them. Users can now choose their default SSH or RDP client in Preferences.

1.6.1.2 Refactoring of Secrets in My Authorizations (REST API & GUI) (WAB-980)

My Authorizations pages have been reworked. Passwords has been renamed Secrets and all improvements available on Sessions page are also available for Secrets. The checkout workflow has been cleaned, secrets can be displayed or added to clipboard and two new SSH key formats are also available : PEM/PKCS1 & PKCS8.

1.6.1.3 Support of AliBaba Cloud (WAB-3120)

WALLIX Bastion and WALLIX Access Manager are now supported on Alibaba Cloud. Images can be requested from the WALLIX Support team. For WALLIX Bastion, support is available since version 10.0.2 and for all higher versions supported. For WALLIX Access Manager, support is available since version 4.0.3 and for all higher versions supported.

1.6.1.4 Universal Tunneling - Multi-Tunneling - Access to Multi-Interfaces Targets (inc. Multi-Drivers PLC) With One Session (WAB-3762)

Universal Tunneling (RAWTCPIP) is extended to enable simultaneous access up to 50 interfaces in the same session. Numerous IT and OT machines require fat clients to access several interfaces at the same time to be efficiently administrated. Thanks to Multi-Tunneling, it's possible with one session and one approval request. And with Seamless Connection, there is no extra effort for the user.

1.6.1.5 Access Manager / Bastion - Session Invite from Access Manager (WAB-3832)

In Session invite, the host user can now cancel sharing the session with the guest at any time by clicking a button. The management of guest sessions has been improved so that they are properly closed when the guest logs out or is disconnected and are properly counted with respect to the maximum number of concurrent users configured in the license. In addition, when a guest accesses Access Manager using a shared URL, a "Login with OTP" action is now recorded in the audit logs, regardless of whether the authentication is successful.

1.6.1.6 Access of OT Targets behing a NAT (WAB-3871)

With the new parameters in the RAWTCPIP connection policy, it is now possible to access targets behind Network Address Translation (NAT) solutions using Universal Tunneling sessions, without any inconvenience to privileged users.

1.6.1.7 Refactoring of Approval Requests in My Authorizations (REST API & GUI) (WAB-4489)

My Authorizations pages have been reworked! Approval requests benefit now from their own page. As for other My Authorizations pages, a lot of improvments are available making it easier for to browse approval requests.

1.6.1.8 Introduce Universal Tunneling in Documentation (WAB-4524)

A new section 12.7 regarding Universal Tunneling (RAWTCPIP) sessions has been introduced in the documentation. This section presents the main use cases, prerequisites, some specific options and main configuration examples.

1.6.2 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-4525: Add new extended documentation section (11.7) for RAWTCPIP / Universal Tunneling sessions added to the Admin Guide
WAB-5352: Add SQL replication script in WALLIX Bastion
WAB-6330: Improvement: bastion-traceman only tries once to move a non-existent trace
WAB-6336: Support for Chinese characters in internal RDP proxy pages
WAB-6349: Add BÉPO keyboard layout
WAB-6887: Add "py3270" python3 library
WAB-7269: Following the refactoring, the page My Authorizations > Secrets is not available anymore in the legacy interface
WAB-7270: Following the refactoring, the page My Authorizations > Sessions is not available anymore in the legacy interface
WAB-7563: Fix compatibility issue between Application Driver with UI Automation scripts in Remote App mode on Windows Server 2022 from version 21H2 OS build 20348.1970
WAB-7574: Improvement: SSH key type is now explicitly returned after checkout (REST API, GUI)
WAB-8136: Update tzdata package to version 2021a-0+deb10u12 to include the latest changes to the leap second list
WAB-8256: Update openssh package to version 7.9p1-10+wallix7.0+deb10u4 to fix the following security issues: CVE-2021-41617, CVE-2023-48795, CVE-2023-51385
WAB-8274: Reduce SSH cipher list to aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, and aes128-ctr and MAC algorithms to hmac-sha2-512 and hmac-sha2-256 on port 22 for the primary connection to fix the following security issue: CVE-2023-48795
WAB-8275: Reduce SSH cipher list to aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, and aes128-ctr and MAC algorithms to hmac-sha2-512 and hmac-sha2-256 on port 2242 to fix the following security issue: CVE-2023-48795
WAB-8310: The page Configuration > API Key is not available anymore in the legacy interface

1.7 New functionalities and improvements in WALLIX Bastion 10.4

1.7.1 New features

1.7.1.2 WAB-49: Windows Service Accounts - Integrated Password Rotation Plugin

The WindowsService secret rotation plugin provides a new integrated workflow for rotating passwords for AD or LDAP accounts and propagating them to targets (called references) that use a service account for one of their services. Now all Windows service and user accounts can be managed with a single domain. SIEM logs are generated for each rotation and propagation to monitor the results of the password rotation.

1.7.1.3 WAB-3405: SAML - Bastion / AM Integration

With WALLIX Bastion 10.4 and WALLIX Access Manager 4.4, it is now possible to benefit from a complete SAML workflow to identify and authenticate users using the same SAML Identity Provider on Bastion and Access Manager.

1.7.2 Complete list of changes

The following features and improvements have been implemented in this version:

WAB-1979: Refactoring of the REST API endpoint and the "Encryption" page in the Web interface
WAB-2271: Changing the name of fields and associated values in the "encryption" resource of the REST API

1.8 New functionalities and improvements in WALLIX Bastion 10.3

1.8.1 New features

1.8.1.1 WAB-66 - Bastion - SAML Generic Support as Service Provider (SP)

The standard protocol SAML 2.0 is now supported in the WALLIX Bastion. WALLIX Bastion can be now configured as a Service Provider (SP) so that any SAML Identity Providers (IdP) can be leveraged to manage federated identities and strong authentication of privileged users.

1.8.1.2 WAB-536 - SSH Certificate Authorities

Authentication of LDAP/AD users with SSH certificates is now supported. SSH certificates are an improvement of the SSH keys mechanism that eases and rationalizes the management of SSH authentication. A new SSH Certificate Authorities (CA) object has been introduced. In the future, this object will be extended to centralize and simplify the management and use of other types of CAs in the WALLIX Bastion.

1.8.1.3 WAB-2440 - Redesign of "Authorizations" Page

The configuration page of the authorizations ("Manage authorizations") has been redesigned to clarify the configuration of one of the most important objects in the Bastion: the order of the parameters has been rearranged and descriptions have been added. The "Enable sessions" and "Enable password checkout" rights has been reorganized into the same parameter with the "Sessions" and "Secrets" value. A new list of authorizations is also available.

2 Bug fixes

This version includes all fixes implemented from WALLIX Bastion 11.0 and listed in the sections below.

2.1 Bug fixes in WALLIX Bastion 12.1.1

WAB-13812: Fix old password been keep with Kerberos method of Windows password change plugins when password successfully changed on Active Directory.

2.2 Bug fixes in WALLIX Bastion 12.1

WAB-6301: Improve the listing time of users with AD recursive groups.
WAB-6445: Fix deletion of target by a limited administrator if it exists in another group.
WAB-7383: Fix AD/LDAP 'simple (client certificate)' bind method.
WAB-7705: Improve route definition by accepting host bit set. The applied route is normalized, and a warning message is logged in/var/log/syslog.
WAB-8391: Improve the user interface by hiding the iDrac network interface of Dell physical appliances.
WAB-8445: Add replication of logo customizations in WALLIX One PAM cluster.
WAB-8999: Fix the Deactivate action in the configuration of the remote storage.
WAB-9074: Fix to automatically reload logger settings on each REST API request without restarting the service.
WAB-9155: Fix X.509 authentication when there are accents in the user certificate.
WAB-9170: Fix to keep the user's last connection date when the password changes.
WAB-9476: Remove the interface element related to the deprecated HA DRBD feature.
WAB-9491: Improve the default display of API key in the browser. After the generation, this key is hidden by default. Add an eye icon to display the API key.
WAB-9862: Remove unnecessary data for each file when session files are moved between local and remote storage. This fixes the "data is too long" error in the case of a session with a huge number of files.
WAB-9873: Fix an issue preventing a notification email to be sent when the watchdog gets back to an operational state after having been out of order.
WAB-10180: Fix target connection failure notification sending when application cannot be launched.
WAB-10230: Fix error logging in/opt/wab/bin/WABCRLFetch cron.
WAB-10250: Fix RDP Proxy Sesman configuration options lost after upgrade.
WAB-10278: Fix to display the login instead of defaultEmailDomain for UserPrincipalName.
WAB-10340: Fix the CSV import of Entra ID (ex Azure AD) users.
WAB-10341: Fix to ensure that a limited administrator can access the authentication history.
WAB-10401: Fix the Clear action of the remote storage configuration so it deletes the remote storage parameters from the bastion.
WAB-10443: Fix time frame verification that allowed to open a session on an application outside a time frame under certain conditions.
WAB-10464: Improve robustness of HA Database Replication with concurrent check-ins and checkouts of credentials.
WAB-10618: Improve usability by limiting email notifications to approvals whose end date has not yet passed.
WAB-10664: Fix the test network parameters by using the timeout during a GSSAPI connection.
WAB-10671: Fix target name in file created for ticketing interface script in case of password checkout.
WAB-10754: Update the Apache server to version 2.4.62-1~bpo10+wallix1 to fix following vulnerabilities: CVE-2024-39573 CVE-2024-38477 CVE-2024-38476 CVE-2024-38475 CVE-2024-38474 CVE-2024-38473 CVE-2024-38472 CVE-2024-36387 CVE-2024-39884 CVE-2024-40898 CVE-2024-40725.
WAB-10833: Fix the error "AttributeError: 'list' object has no attribute 'st_size'" that could be reported by the integrity checker "WABSessionLogIntegrityChecker" after importing a session archive. The imported sessions are now correctly processed.
WAB-10844: Fix the SAML Entra ID authentication end to end between Bastion and Access Manager.
WAB-10910: Add the option for administrators to reencrypt the LUKS volume.
WAB-11001: Add more logs when LDAP connection test fails.
WAB-11005: Fix wrong script path in the replication cron jobs.
WAB-11006: Fix the "bastion-traceman info" subcommand to provide the correct values for available and total space on the remote storage.
WAB-11007: Fix the removal of the monitoring cron job of the replication.
WAB-11011: Fix the “--elevate-master“ option of the replication script.
WAB-11019: Fix to allow creation of profiles with Manage Approvals right but without the Manage Authorizations right. Fix to prevent saving a profile with Manage Authorizations right but without User groups and Target groups rights.
WAB-11031: Fix the restoration of /var/wab/etc content during backup restore.
WAB-11043: Update python3 packages to version 3.7.3-2+deb10u8 to fix the following vulnerabilities: CVE-2024-0397 CVE-2024-4032.
WAB-11051: Fix the HA installation workflow if the system locale is not in English.
WAB-11063: Disable account creation by Google cloud agent.
WAB-11087: Fix the automatic partition resizing on cloud images.
WAB-11095: Remove mail sent every five minutes for replication check.
WAB-11097: Disable users from launching bastion-upgrade.sh manually.
WAB-11103: Fix notifications for OCR and keyboard input-based pattern detection during RDP sessions.
WAB-11111: Remove unexpected successful message in logs when a domain failed to be saved.
WAB-11138: Improve readability by reinstating the previous upgrade log file name, which used underscores instead of spaces.
WAB-11139: Improve usability by resetting the default wabupgrade shell to bash, which restores autocompletion.
WAB-11140: Add a message at the end of the upgrade to say the operation was successful.
WAB-11142: Add a confirmation message on BastionSecureUpgrade command before launching upgrade
WAB-11143: Fix service control limit value when toggling iptables rules.
WAB-11166: Fix live session audit not working with WALLIX Access manager 5.0.0.
WAB-11201: Fix corrupted vhdx image release.
WAB-11289: Fix issue in the SBOM regarding the incorrect version of the 'python3-winrm' package.
WAB-11297: Update dashboard component.
WAB-11303: Fix an issue that causes mail notifications to be sent to the wrong recipient during a HA Database Replication.
WAB-11316: Add a default HTTPS transport feature when changing credentials with WinRM method of Windows password change plugin.
WAB-11349: Fix SAML data schema update from 10.0 in migration scripts.
WAB-11351: Fix IPv4 and IPv6 default gateway deletion each time the configuration is applied in the System > Network page if IP source routing is enabled.
WAB-11378: Fix backup import from previous versions when the backup key has been truncated.
WAB-11391: Improve the description of the Enable Kerberos and Allow NLA NTLM fallback RDP options in Connection Policies.
WAB-11399: Fix users of AD recursive groups not correctly mapped to their Bastion groups. Improve performance when fetching users from an AD/LDAP domain.
WAB-11401: Fix Universal Tunneling session when requested source ip is empty.
WAB-11424: Fix import of backup when there are duplicated user or target groups in database.
WAB-11428: Improve security by further restricting LDAP client algorithms to match SOG-IS.
WAB-11431: Fix two bastion-replication issues: certain SSH operations are no longer interrupted before completion, and the autossh tunnel is now established through the right network interface.
WAB-11453: Fix deletion of e-mail list in user group via API endpoint PUT /api/usergroups.
WAB-11459: Improve the strength of passwords and passphrases. Weak, common or too short passphrases and passwords are now rejected.
WAB-11461: Fix HTTP host header handling in redirects.
WAB-11462: Fix a bad error handling when entering an invalid network mask in the network configuration form of the setup wizard.
WAB-11463: Improve CSRF token behavior which is now provided by the REST API thanks to a cookie (with established ttl) and is not stored anymore in the browser local storage.
WAB-11490: Add a new advanced option tls enable legacy server in RDP Connection Policy to fix RDP connections with TLS 1.0 to legacy Windows Server (such as Windows Server 2008). This option is disabled by default and must be enabled only for targets on a legacy Windows Server.
WAB-11499: Fix clipboard redirection with Windows XP target.
WAB-11503: Fix internal server error (HTTP 500) in API request when filtering on a timestamp field and providing an invalid date.
WAB-11518: Fix password checkout of a target whose account name contains a "" character (Secrets table).
WAB-11552: Add options to control the authentication method and TLS options in the connection policy of VNC.
WAB-11559: Fix keyboard input pattern detection in Access Manager invited sessions.
WAB-11574: Fix a vulnerability that allowed a malicious user to execute arbitrary commands while restoring a backup.
WAB-11590: Fix the integrity errors of the current sessions caused by WABSessionLogPurge by recreating, if necessary, the hash folder deleted by the script.
WAB-11626: Fix WALLIX-PuTTY installation in Windows workstation where some libraries (VCRUNTIME140.dll) are not present.
WAB-11636: Fix auditor 4 hands (via Windows Shadowing) access on some targets.
WAB-11648: Fix the network configuration migration during upgrade or restoration from a version prior to IPv6 support.
WAB-11665: Fix restoration of backup made on version 9.0 when a connection policy has single quotes in name.
WAB-11671: Fix error notification appearance when a global account is linked to an application via a target group.
WAB-11727: Improve logging for Windows password change plugin.
WAB-11743: Improve the error report of the keyboard pattern detections of the RDP sessions by resetting the text sent when the Enter key will be detected.
WAB-11764: Fix handling of multiple LUKS partition in bastion-luks-update.
WAB-11771: Fix the vulnerability issue DSA 5782-1 affecting the Linux kernel.
WAB-11791: Add Disable keyboard log option to the VNC connection policy to configure the KBD_INPUT log.
WAB-11795: Fix the detection of closure by inactivity on the shared RDP sessions and whose control is given to the guest.
WAB-11811: Fix errors when changing multiple passwords at the same time with the Kerberos method of the Windows plugin.
WAB-11813: Fix the login generated by the GUI for an account mapping.
WAB-11816: Fix display of the default gateway interface for ipv4 and ipv6 when the IP source routing is disabled on the System > Network page.
WAB-11818: Fix the display of the approval history list by de-duplicating rows when the approver belongs to more than one approver group.
WAB-11830: Fix RDP connections closing when approval requests were pending for too long.
WAB-11842: Fix "mariadb Aborted connection ..." warning for bastion-replication that was triggered by the replication monitoring, and which appeared in syslog every minute.
WAB-11883: Fix the delete icons for ipv4 and ipv6 routes as they removed the wrong routes on the System > Network page.
WAB-11884: Fix issue when adding multiple ipv4 or ipv6 routes in the System > Network page.
WAB-11904: Fix display of local authentication configuration in user creation form with Chrome browser version 127 or later.
WAB-11910: Fix encoding of users imported from an LDAP or AD server.
WAB-11928: Fix an issue that causes Ha Database Replication to be down for too long.
WAB-11929: Fix a traceback issue caused by Unicode decoding in SQL replication.
WAB-11949: Fix message displayed outside of visible area when configuring X.509 certificates on the web interface.
WAB-11950: Improve warning message when target session is limited in time by indicating the timezone of the deconnection time.
WAB-11953: Fix support for small computers without a keyboard controller. The absence of a keyboard controller was causing the startup setup screens to crash.
WAB-11965: Add optional field to enter the administrator's domain for Windows password change plugin.
WAB-11966: Fix to catch network error in the Windows password change plugin.
WAB-11967: Fix for Windows plugin to catch error when changing password of a user who does not exist on the target.
WAB-12025: Fix issue that could allow a disabled or expired Active Directory user to connect to the Bastion SSH proxy with a SSH key or to the Bastion with an X.509 certificate.
WAB-12028: Fix interruption of the launch of a manually deployed Application Driver by an end-user.
WAB-12038: Fix XRDP target connections when the Allow TLS only fallback option is disabled in the RDP connection policy.
WAB-12068: Improve the upgrade process of WALLIX Bastion by preventing it from starting if disk space is insufficient.
WAB-12090: Fix compatibility issue between Cisco Secure Endpoint and Session Probe.
WAB-12097: Improve the strength of SMTP cipher algorithms in TLS or STARTTLS, with the ability to configure their security level.
WAB-12131: Fix "Page not found" error that might appear on Administration and Audit pages
WAB-12169: Fix RDP session status when the connection has been aborted.
WAB-12176: Fix read of approvals assigned to a user via the REST API when the user logged is an external user.
WAB-12177: Fix interactive mode for SCP and SFTP protocols when primary authentication is SAML.
WAB-12179: Fix the system going into lockdown mode when the upgrade is prevented by an active HA Database Replication. The fix will be effective when upgrading from this version and newer versions.
WAB-12197: Fix errors in the Check Point GAIA password change plugin.
WAB-12203: Fix uniqueness of the /etc/machine-id file on the disk image.
WAB-12209: Fix email sent containing "UNLIKELYVALUEMAGICASPICONSTANTS3141592926ISUSEDTONOTIFYTHEVALUEMUSTBEASKED" when a user attempts to access a critical target in interactive login, but quits via the escape key or due to a timeout.
WAB-12214: Improve SQL request made when an AAPM client is authenticating.
WAB-12225: Fix an issue on the SMTP system page when trying to check a certificate against a SMTP server listening on a non-standard port.
WAB-12241: Fix file permission of the logger configuration preventing the change of the log level of the Bastion.
WAB-12247: Fix issue that allowed a disabled or expired FreeIPA user to connect to the Bastion SSH proxy with an SSH key or to the Bastion with an X.509 certificate.
WAB-12283: Add Hungarian keyboard layouts (named hu-HU). The previous keyboard layout hu-HU is renamed hu-HU.101-key.
WAB-12287: Improve RDP Client Keepalive description in the RDP proxy configuration options.
WAB-12378: Fix network interface renaming after upgrade.
WAB-12397: Remove mentions of traces in the log when no file needs to be transferred. [bastion-traceman]
WAB-12401: WAB wallix-config-restore.py exit code does not report errors
WAB-12412: Fix for Windows plugin to catch error when trying to change the password of a locked out account.
WAB-12452: WABSessionLogPurge: fix orphan file detection to prevent accidental deletion of hash files when some session files are temporarily not available.
WAB-12497: Fix inaccurate error message sent in case of rejected credential change.
WAB-12502: Improve the handling of untrusted HTTP hosts by returning a 400 error instead of redirecting on the UI and API.
WAB-12645: Add error about a file copy in the logs and in the output of the bastion-traceman job. When bastion-traceman failed to copy one individual file for a trace, it left the trace's files in the local storage (as expected), but would not report any error in the logs.
WAB-12671: Fix RAIL application that can appear partially or not at all in 4eyes when the primary monitor is not at the top-left corner of the virtual desktop.
WAB-12780: Fix emails sent to approvers by error for targets outside of their limitations.
WAB-12842: Fix an error message concerning remote storage when it was not configured.
WAB-12909: Fix restoration of backup when there are NULL values in the "owner" column of the SQL table "session_log".
WAB-12938: Fix error "STATUS_ACCOUNT_RESTRICTION" in Samba method of Windows password change plugin.
WAB-12999: Fix failure of session sharing between multiple RemoteApps when the target name is too long.
WAB-13026: Fix "WABSessionLogImport" when importing archives with a specific error in data format (see related fix WAB-13639). The import script will now handle the error, do its best efforts to recover the relevant data, and proceed to the end of the archive without a fatal error.
WAB-13037: Fix parallelization for change credentials in multiple domains.
WAB-13140: Improve workflow and error handling in Windows password change plugins.
WAB-13150: Fix the Local domain field in the device and application accounts forms.
WAB-13153: Fix the warning message when lowering the security level.
WAB-13162: Add support of accounts with shell different from /etc/cli.sh in Checkpoint GAIA password change plugin.
WAB-13209: Fix Kerberos form in edit mode then a keytab file is not provided.
WAB-13261: Fix the creation of approval requests starting in the past and bypassing the current allowed timeframe (security fix).
WAB-13272: Update libgnutls30 package to fix this security advice: CVE-2024-12243.
WAB-13275: Fix the SIEM message on session log purge that only contained one session.
WAB-13296: synchronize-cluster fails when there are too much folder in /var/wab/hash
WAB-13396: Improve Users > Groups page by renaming the User number column to Local users.
WAB-13496: Fix a Python import error during upgrade of the Bastion.
WAB-13519: Remove credential cache file left after rotation in Kerberos method of Windows password change plugin.
WAB-13548: Fix the encryption level of the Discovery service and use HTTPS as the default method for connecting to Windows devices through WinRM.
WAB-13722: Fix the Discovery service status that was not stopped when deactivating the corresponding configuration option.

2.3 Bug fixes in WALLIX Bastion 12.0.2

WAB-8391: Improve the user interface by hiding the iDrac network interface of Dell physical appliances.
WAB-10754: Upgrade the Apache server to fix multiple vulnerabilities.
WAB-10910: Add the option for administrators to reencrypt the LUKS volume.
WAB-11005: Fix wrong script path in the replication cron jobs.
WAB-11007: Fix the removal of the monitoring cron job of the replication.
WAB-11011: Fix the "--elevate-master" option of the replication script.
WAB-11051: Fix the HA installation workflow if the system locale is not in English.
WAB-11063: Improve GCP agent configuration.
WAB-11087: Fix the automatic partition resizing on cloud images.
WAB-11103: Fix notifications for OCR and keyboard input-based pattern detection.

2.4 Bug fixes in WALLIX Bastion 12.0.1

WAB-6364: Fix permanent connection file when the user is in an authentication domain with the Server Domain Name different from the Authentication Domain Name.
WAB-6420: Fix usage of variable approvers in custom e-mail templates.
WAB-6643: Fix issues with bastion-debugging-tools.
WAB-6969: Improve external authentications to ensure that the Last Connection field updates in scenarios where the User Name attribute is configured as UserPrincipalName.
WAB-7484: Improve "Missing authorization UID for right" log message by changing the log level to TRACE.
WAB-7489: Add anonymization of table "activity" in script bastion-db-anonymizer.
WAB-7605: Fix wrong behavior when activating or deactivating IP Source Routing where /32 routes were deleted.
WAB-7623: Improve HA Database Replication by forbidding the execution on some command in slave.
WAB-7711: Remove exception from file /var/log/apache2/wabrest-uwsgi.log when an object is not found in REST API.
WAB-7812: Improve the error message for Domain server name field in the Authentication domains page. The name should comply with the Domain Naming Convention.
WAB-8019: Improve message displayed to user for TLS errors with RDP connections.
WAB-8042: Improve readability by renaming the "Authentication domain name" field to "Server domain name" in the Groups form for users.
WAB-8243: Fix account mapping login issue from Access Manager when user password contains special characters like "é", "ü", "ß", "¾", or "§".
WAB-8268: Fix approval requests obtention for an external user.
WAB-8269: Fix the installation of HA database replication when the database passwords of the cluster nodes are different.
WAB-8283: Fix CSV export for Global Domain configuration.
WAB-8288: Fix the sending of notifications that was not always working.
WAB-8529: Fix the session audit right being transferable by a user who does not have this right.
WAB-8990: Fix WALLIX Bastion outage when filesystem is full and trying to download debug logs zip file.
WAB-8991: Improve Bastion-replication script which now checks the license for clustering entitlement.
WAB-8993: Fix parsing of LDAP user e-mails for approval permissions.
WAB-9031: Fix issue which allows to configure an invalid FQDN in the setup screens.
WAB-9069: Fix the --resync command in HA Database Replication.
WAB-9164: Fix an issue, in the context of approval workflow or auditor 4-hands, where the refused message notification can randomly be silenced while in RDP pending page.
WAB-9186: Fix CAL per Device license management when using multiple RDS in an application cluster.
WAB-9241: Fix translation of some fields on the website that were using the browser language instead of the Bastion user language.
WAB-9295: Fix reconciliation of password in Unix password change plugin.
WAB-9375: Fix the absence of two csv reports in the daily reporting e-mail.
WAB-9413: Increase default number of concurrent connections allowed to 30.
WAB-9486: Improve compatibility with HA database replication by reducing the size of the password generated for the database to 32 characters.
WAB-9497: Fix reconciliation for SSH key change in Unix password change plugin.
WAB-9514: Improve approval display time for approvers on large LDAP directory.
WAB-9561: Improve REST API target password checkout by adding real domain name for global domain accounts.
WAB-9684: Add return of error 503 in API endpoint "/api/ldapuser" if the LDAP/AD server is not reachable.
WAB-9711: Fix access to an application outside authorized time frames.
WAB-9718: Fix security issue caused by the database root password being displayed in the process list and in error messages.
WAB-9733: Fix connection to target with a local account discovered by a discovery scan.
WAB-9755: Improve performance of the Audit > Session history page on the web interface.
WAB-9804: Add LDAP case insensitive option to perform case insensitivity checks for LDAP or Active Directory mappings. This option affects the performance of the user listing.
WAB-9818: Add extended mouse buttons support in RDP sessions.
WAB-9819: Fix regeneration and upload of a new SSH private key in an account when it already has one.
WAB-9827: Fix wrong Bastion version being displayed on the grub menu after upgrade.
WAB-9834: Fix wrong EHLO command by sending a correct hostname.
WAB-9859: Fix to ensure that a self-approval request is only possible if the requester is a member of the approvers group.
WAB-9886: Fix to ensure adding of new routes with a subnet of 255.255.255.255 or 32 to the appliance interface no longer deletes routes with a submask of 255.255.255.255 or 32.
WAB-9963: Improve Filesystem Virtual Channel Manager to ignore malformed requests.
WAB-9988: Fix profile addition by a limited administrator.
WAB-9998: Fix to allow auditors with a group restriction to see accounts activities under their control.
WAB-9999: Add anonymization of authentication domains in script bastion-db-anonymizer.
WAB-10056: Update kernel version to version 6.1.85-1 in order to fix following security advice: CVE-2023-2176 CVE-2023-6270 CVE-2023-7042 CVE-2023-28746 CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435 CVE-2023-52583 CVE-2023-52584 CVE-2023-52587 CVE-2023-52588 CVE-2023-52589 CVE-2023-52593 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52606 CVE-2023-52607 CVE-2023-52616 CVE-2023-52617 CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52621 CVE-2023-52622 CVE-2023-52623 CVE-2023-52630 CVE-2023-52631 CVE-2023-52632 CVE-2023-52633 CVE-2023-52635 CVE-2023-52637 CVE-2023-52638 CVE-2023-52639 CVE-2023-52640 CVE-2023-52641 CVE-2024-0340 CVE-2024-0841 CVE-2024-1151 CVE-2024-2201 CVE-2024-22099 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-26581 CVE-2024-26582 CVE-2024-26583 CVE-2024-26584 CVE-2024-26585 CVE-2024-26586 CVE-2024-26590 CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602 CVE-2024-26603 CVE-2024-26606 CVE-2024-26621 CVE-2024-26622 CVE-2024-26625 CVE-2024-26626 CVE-2024-26627 CVE-2024-26629 CVE-2024-26639 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642 CVE-2024-26643 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659 CVE-2024-26660 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665 CVE-2024-26667 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26676 CVE-2024-26679 CVE-2024-26680 CVE-2024-26681 CVE-2024-26684 CVE-2024-26685 CVE-2024-26686 CVE-2024-26687 CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696 CVE-2024-26697 CVE-2024-26698 CVE-2024-26700 CVE-2024-26702 CVE-2024-26704 CVE-2024-26706 CVE-2024-26707 CVE-2024-26710 CVE-2024-26712 CVE-2024-26714 CVE-2024-26715 CVE-2024-26717 CVE-2024-26718 CVE-2024-26720 CVE-2024-26722 CVE-2024-26723 CVE-2024-26726 CVE-2024-26727 CVE-2024-26731 CVE-2024-26733 CVE-2024-26735 CVE-2024-26736 CVE-2024-26737 CVE-2024-26741 CVE-2024-26742 CVE-2024-26743 CVE-2024-26744 CVE-2024-26745 CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26750 CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754 CVE-2024-26759 CVE-2024-26760 CVE-2024-26761 CVE-2024-26763 CVE-2024-26764 CVE-2024-26765 CVE-2024-26766 CVE-2024-26769 CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26774 CVE-2024-26775 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26780 CVE-2024-26781 CVE-2024-26782 CVE-2024-26787 CVE-2024-26788 CVE-2024-26789 CVE-2024-26790 CVE-2024-26791 CVE-2024-26792 CVE-2024-26793 CVE-2024-26795 CVE-2024-26798 CVE-2024-26800 CVE-2024-26801 CVE-2024-26802 CVE-2024-26803 CVE-2024-26804 CVE-2024-26805 CVE-2024-26809 CVE-2024-26810 CVE-2024-26811 CVE-2024-26812 CVE-2024-26813 CVE-2024-26814 CVE-2024-26815 CVE-2024-26816 CVE-2024-27437.
WAB-10072: Add a mechanism that automatically stops SQL replication during a restore, then re-synchronizes the nodes and restarts the synchronization.
WAB-10075: Improve logs readility by no longer creating logs when there is a logging attempt with an incorrect username.
WAB-10123: Fix AD authentication test for GSS-API bind method.
WAB-10147: Fix issue where the RDP Proxy configuration can not be modified on a fresh install.
WAB-10167: Improve user experience by scheduling a single checkin task after multiple checkouts of the same account by the same user.
WAB-10175: Fix Application Driver automatic deployment.
WAB-10217: Update WALLIX-PuTTY to version 0.81.1 to fix the following security issue: CVE-2024-31497.
WAB-10220: Add parameters to fine tune RDP targets authentication phase.
WAB-10244: Improve backups by allowing a backup to happen while bastion-traceman is running.
WAB-10253: Remove default evaluation license for Cloud installations.
WAB-10254: Fix wabadmin password change prompt not being displayed on Azure at the first shell login.
WAB-10255: Fix support of legacy hash algorithms for the local user password hashes.
WAB-10299: Fix removing redirected drive of Session Probe.
WAB-10312: Fix RDP sessions with corrupted recordings that leave TMP files.
WAB-10333: Fix forwarding of arguments to WABInitReset properly when ran as wabadmin.
WAB-10385: Remove a question about the "crypto" during the configuration of the HA Database Replication. The answer was not used.
WAB-10386: Fix superset cookie issue.
WAB-10407: Fix the Palo Alto change password plugin.
WAB-10519: Update the VMware disk from ".vmdk" to ".ova".
WAB-10746: Update Debian packages in order to fix this security advice: CVE-2024-6387.
WAB-10865: Fix non-functional boot in EFI SecureBoot mode.
WAB-10877: Add audit logs related to SIEM settings when the log format is changed or the filter configuration is changed.
WAB-10889: Fix of file rights under /var/wab/hash when restoring a backup. The standard rights expected on a bastion are now restored.
WAB-10917: Fix Network and Service control pages, as well as the WABNetworkConfiguration script, in WALLIX One Remote Access environments.

2.5 Bug fixes in WALLIX Bastion 12.0

WAB-3403: Fix default retention time of critical backups
WAB-4349: Fix display of some characters in the edit boxes on RDP internal pages with MSTSC
WAB-6251: Fix LDAP/AD authentication domain information in the admin guide
WAB-6416: Removal of the second successful authentication from the authentication history when a legacy page is displayed in the new UI
WAB-6971: Fix license counter for concurrent users in the event of disconnection or session expiration
WAB-7058: Fix documentation to include the new Palo Alto PANOS plugin name and version
WAB-7112: Fix permissions on apache2 log files
WAB-7170: Update ICAP client to 0.6.11 to support reqmod and respmod response with null-body header > 0
WAB-7208: Fix to use the Hashicorp Vault with a secret engine with a slash in the path
WAB-7342: Fix view of approval request details in page Audit > Session history for auditors
WAB-7443: Fix error in display of unused resources data
WAB-7537: Fix timeout issue when rotating many SSH keys
WAB-7549: Fix to no longer truncate values above 20 characters when an object is updated, to improve wabaudit logs
WAB-7592: Fix of a traceback occurring when trying to upgrade a Bastion with the crypto locked
WAB-7629: Fix the account search bar for Microsoft Entra ID accounts
WAB-7712: Update mariadb to version 10.5.19-0+deb11u2~bpo10+wallix1 to fix the following security issue: CVE-2021-27928
WAB-7724: Fix Session Probe launch that was blocked by the message "A referral was returned from the server"
WAB-7744: Fix multiple passwords associated with the same account when rotating secrets in Master/Master SQL Replication cluster
WAB-7781: Fix replication installation if the passphrase or password of the wabadmin or wabsuper users contains the character "%"
WAB-7799: Fix inability to use the same remote storage with two WALLIX Bastion
WAB-7811: Fix test network parameters with port GC-SSL (3289) in external authentications
WAB-7813: Fix information message for groups when adding a mapping for a SAML authentication domain
WAB-7856: Fix the device configuration by permitting the use of /0 as a subnet
WAB-7858: Improvement of syslog-ng by upgrading to version 3.38.1
WAB-7920: Fix default value of "Hide client name" parameter in RDP Configuration options to false
WAB-7936: Optimization of session logs deletion when running WABSessionLogExport script
WAB-8003: Fix product-version value of legacy license keys in the json context file generated for the 4.x, 5.x, and 6.x key codes
WAB-8026: Fix to ensure non-approver users cannot receive approval request notifications and approve them
WAB-8034: Fix the display of Bastion user groups in the external users view when the same LDAP/AD mapping is present in several of these groups
WAB-8038: Fix WALLIX Bastion becoming unreachable when adding an entry in /etc/hosts
WAB-8042: Improvement of readability by renaming 'authentication domain name' to 'server domain name'
WAB-8154: Fix x509 connection with an Active Directory user without setting up a default mapping
WAB-8197: Fix random process monitoring failure by Session Probe
WAB-8227: Implementation of support for the new PuTTY SSH private key file format PPK3 in WALLIX-PuTTY
WAB-8357: Fix error log being displayed when starting HA mysql replication using master/slave mode
WAB-8551: Update axios dependency to version 1.6.5 to fix the following security issue: CVE-2023-26159
WAB-8785: Fix SSH connection failures when using SSH client with kex strict extension and Diffie-Hellman key exchange algorithms
WAB-8987: Fix system events not being sent to the SIEM
WAB-9051: Improvement of Bastion performances related to License management
WAB-9073: Fix "Configuration options" events not being sent to the SIEM
WAB-9108: Fix to use saved password when testing LDAP external authentication connection
WAB-9115: Fix trace integrity error when the RDP or SSH session was interrupted by a service restart
WAB-9127: Fix a minor warning message related to redis when upgrading
WAB-9130: Fix access to video resolution when playing encrypted RDP sessions
WAB-9138: Fix inability to launch Session Probe if the Remote Desktop Connection window is minimized
WAB-9157: Fix 'Service control' page after a factory reset. Improve Factory Reset component list: remote storage, SIEM, SNMP, SMTP, and time service
WAB-9169: Addition of the "secure" flag on the Superset session cookie (Dashboards)
WAB-9177: Fix failure in RDP authentication when multi-factor response can be empty
WAB-9218: Fix retrieval of AD group membership information for a target account in an RDP session
WAB-9230: Removal of sensitive data from the debug log
WAB-9232: Fix the order of values that are modified for the log message of cluster edition
WAB-9268: Fix the adminkit error and potential slowdowns on the graphical interface
WAB-9271: Fix to close port 80 when disabling insecure HTTP redirection
WAB-9292: Fix bug where checking the "Enable IP source routing" checkbox in the network configuration page of the GUI of a Bastion with at least three interfaces would display a blank page
WAB-9302: Modification of default startup configuration for WALLIX daemons
WAB-9334: Fix "Applications" list after modifying a target cluster
WAB-9336: Fix to use the TRACE log level to write requests and responses in log file when debug is enabled
WAB-9363: Fix an issue where permission on /var/wab/hash directories would not be set correctly after restoring a backup
WAB-9403: Fix to automatically close primary sessions that are still open by error
WAB-9469: Fix permissions on recording files when moved to a SMB/CIFS remote storage
WAB-9479: Removal of Celery "broker" and "backend" options from the Web interface
WAB-9492: Fix permission issue on the backup daemon socket
WAB-9545: Fix of the cryptography initialization by bastion-init-crypto script to initialize account mapping domain
WAB-9611: Fix to display an error on the web interface after backup restoration in case of internal error in the "backup daemon" service
WAB-9715: Improvement of readability by renaming services in watchdog notifications: wabrest → wabrestapi and rdb → redemption
WAB-9726: Fix to display Bastion version on exactly 3 digits on page System / Status of the web interface
WAB-9837: Update the default LDAP client TLS cipher suite. This may prevent reaching older directories

3 Known issues

WAB-1627: When restoring a backup, the services mapping is not applied. A workaround is to change the service mapping in the Web interface, and then return to the previous mapping.
WAB-3159: Password expiration e-mails are sent after 999 days, even if no expiration is configured in the local password policy.
WAB-3848: The Domains page can take up to a minute to load if many domains are configured.
WAB-5988: The value taken into account for Configuration > Configuration options > License configuration > main > License report threshold 1 is 75%, regardless of the value set by the user.
WAB-8198: The "bastion-change-redis-password" command accepts an empty password although this is not supported by WALLIX Bastion.
WAB-9030: Resizing shell windows in appliance makes Curse based terminals crash.
WAB-9034: Entries in the Audit > Authentication history table are not displayed in UTC format, which can put some entries at an incorrect location if the Bastion timezone is changed.
WAB-9053: Scenario accounts in authorization with approval workflow cannot be used.
WAB-9659: When Session Timeout (configurable in Configuration > Configuration options > GUI) is modified, the modification is not applied until the wabrestapi service is restarted. As root, run systemctl restart wabrestapi to apply the modification.
WAB-10179: Cluster import via CSV does not work.
WAB-10279: User can log in with partial UserPrincipalName when using UserPrincipalName as login attribute.
WAB-11455: Some Vault Transformation Rules (VTR), such as ${USER:/wlx/adm}, do not work for e-mail logins.
WAB-13232: Migration on-prem to Saas don't include SIEM configuration
WAB-13495: When upgrading, if the disk quota could not be enabled due to a too large existing partition, the message is in the middle of the upgrade logs.
WAB-13550: WABSessionLogIntegrityChecker fails to report messages with an OK status to the SIEM, and a double quote is missing from the message (regardless of whether the status is OK or an error).
WAB-13672: During a version upgrade using Backup/Restore, if the source Bastion contains a signed custom secret rotation plugin, secret rotation will no longer work on the target Bastion for devices or domains using this plugin. Import the plugin to the target Bastion before restoring the backup.
WAB-13678: The WinRM method in Windows plugin works only with reconciliation, so an administrator account is required in the domain settings.
WAB-13691: When restoring a backup from a previous version without the tls_signature_algorithms field, it will get the default value equivalent to the High, Sogis, and Oss security levels. If you encounter RDP connection issues in the Low security level, manually clear the TLS signature algorithms field in Configuration > Configuration options > RDP proxy > Client or reapply the security level with: WABSecurityLevel --reapply.

4 Known limitations

No known issue are part of this version.