2.9.0 release notes

March 21, 2023

NGINX Instance Manager 2.9.0 release notes

Upgrade Paths

NGINX Instance Manager 2.9.0 supports upgrades from these previous versions:

• 2.6.0 - 2.8.0

If your NGINX Instance Manager version is older, you may need to upgrade to an intermediate version before upgrading to the target version.

Security updates

Important

For the protection of our customers, NGINX doesn’t disclose security issues until an investigation has occurred and a fix is available.

This release includes the following security updates:

• Instance Manager vulnerability CVE-2023-1550

  NGINX Agent inserts sensitive information into a log file (CVE-2023-1550). An authenticated attacker with local access to read NGINX Agent log files may gain access to private keys. This issue is exposed only when the non-default trace-level logging is enabled.

  NGINX Agent is included with NGINX Instance Manager, and used in conjunction with API Connectivity Manager and the Security Monitoring module.

  This issue has been classified as CWE-532: Insertion of Sensitive Information into Log File.

  Mitigation

  • Avoid configuring trace-level logging in the NGINX Agent configuration file. For more information, refer to the [Configuring the NGINX Agent](https://docs.nginx.com/nginx-one-console/agent/configure-instances/configuration-overview/ section of the documentation. If trace-level logging is required, ensure only trusted users have access to the log files.

  Fixed in

  • NGINX Agent 2.23.3
  • Instance Manager 2.9.0

  For more information, refer to the MyF5 article K000133135.

What’s new

This release includes the following updates:

• New webpages for viewing Attack Signature and Threat Campaigns

  The Instance Manager web interface now allows you to view Attack Signatures and Threat Campaign packages published to instances and instance groups. You can also publish these packages using the precompiled publication mode.

• NGINX Agent supports Rocky Linux 8 and 9

  The NGINX Agent now supports Rocky Linux 8 (x86_64, aarch64) and 9 (x86_64, aarch64). The NGINX Agent supports the same distributions as NGINX Plus. For a list of the supported distributions, refer to the NGINX Plus Technical Specs guide.

• New Events for CUD actions

  Events will be triggered for CREATE, UPDATE, and DELETE actions on Templates, Instances, Certificates, Instance Groups, and Licenses.

• The Certificate and Keys webpage has a new look!

  Our new and improved Certificates and Keys webpage makes it easier than ever to efficiently manage your TLS certificates.

• Add commit hash details to NGINX configurations for version control

  Use the Instance Manager REST API to add a commit hash to NGINX configurations if you use version control, such as Git.

  For more information, see the following topics:

  • Add Hash Versioning to Staged Configs
  • Publish Configs with Hash Versioning to Instances
  • Publish Configs with Hash Versioning to Instance Groups

Changes in default behavior

This release has the following changes in default behavior:

• SSL Certificates can be associated with Instance Groups

  When assigning SSL certificates for the NGINX data plane, you have the option of associating them with a single instance or with an instance group. When associated with an instance group, the certificates will be shared across all instances in the group.

• ⚠ Action required: OIDC configurations for the management plane must be updated after upgrading to Instance Manager 2.9.0

  OIDC configuration files were modified to improve support for automation and integration in CI/CD pipelines. To continue using OIDC after upgrading to Instance Manager 2.9.0, you’ll need to update these configuration files.

  To take advantage of the expanded functionality for OIDC authentication with NGINX Management Suite, we recommend following these two options:

  Option 1

  1. During the upgrade, type Y when prompted to respond Y or I: install the package mainatiner's version for each of the following files:

     • /etc/nms/nginx/oidc/openid_configuration.conf
     • /etc/nms/nginx/oidc/openid_connect.conf
     • /etc/nms/nginx/oidc/openid_connect.js

  2. After the upgrade finishes, make the following changes to the /etc/nms/nginx/oidc/openid_configuration.conf file using the /etc/nms/oidc/openid_connect.conf.dpkg-old that was created as a backup:

     • Uncomment the appropriate "Enable when using OIDC with" for your IDP (for example, keycloak, azure).
     • Update $oidc_authz_endpoint value with the corresponding values from openid_connect.conf.dpkg-old.
     • Update $oidc_token_endpoint value with the corresponding values from openid_connect.conf.dpkg-old.
     • Update $oidc_jwt_keyfile value with the corresponding values from openid_connect.conf.dpkg-old.
     • Update $oidc_client and oidc_client_secret with corresponding values from openid_connect.conf.dpkg-old.
     • Review and restore any other customizations from openid_connect.conf.dpkg-old beyond those mentioned above.

  3. Save the file.

  4. Restart NGINX Management Suite:

     Copy

     sudo systemctl restart nms

  5. Restart the NGINX web server:

     Copy

     sudo systemctl restart nginx

  Option 2

  1. Before upgrading Instance Manager, edit the following files with your desired OIDC configuration settings:

     • /etc/nginx/conf.d/nms-http.conf
     • /etc/nms/nginx/oidc/openid_configuration.conf
     • /etc/nms/nginx/oidc/openid_connect.conf
     • /etc/nms/nginx/oidc/openid_connect.js

  2. During the upgrade, type N when prompted to respond N or O : keep your currently-installed version.

  3. After the upgrade finishes replace etc/nms/nginx/oidc/openid_connect.js with openid_connect.js.dpkg-dist.

  4. Restart NGINX Management Suite:

     Copy

     sudo systemctl restart nms

  5. Restart the NGINX web server:

     Copy

     sudo systemctl restart nginx

Resolved issues

This release fixes the following issues. Use your browser’s search function to find the issue ID in the page.

• After upgrading to NGINX Instance Manager 2.1.0, the web interface reports timeouts when NGINX Agent configs are published (32349)
• Scan misidentifies some NGINX OSS instances as NGINX Plus (35172)
• Scan does not update an unmanaged instance to managed (37544)
• "Public Key Not Available" error when upgrading Instance Manager on a Debian-based system (39431)
• The Type text on the Instances overview page may be partially covered by the Hostname text (39760)
• System reports "Attack Signature does not exist" when publishing default Attack Signature (40020)
• App Protect: "Assign Policy and Signature Versions" webpage may not initially display newly added policies (40085)
• Precompiled Publication setting is reverted to false after error publishing NGINX App Protect policy (40484)
• Upgrading NGINX Management Suite may remove the OIDC configuration for the platform (41328)

Known issues

You can find information about known issues in the Known Issues topic.