General Updates
Fastly Engineers will be releasing our redesigned Fastly App Homepage on the 1st of November 2023.
When accessing our Fastly App at manage.fastly.com, customers will encounter a new user interface.
( Video Demo, 2023 Altitude Conference - Todd Nightingale, Fastly, Inc. CEO )
Fastly Engineers have performed numerous tests, both internally and externally with select enterprise support customers environments. We do not anticipate any performance impact to customer configuration management or API services from this planned release.
Our network availability, point of presence locations, and all other products and services will be unaffected by this release.
Fastly Support teams have received advanced demonstrations of this planned release and are readily available at https://support.fastly.com for any questions or concerns shared by Fastly customers.We have changed our release date of our redesigned Fastly App Homepage to the 15th of November 2023.
We have constructed an "opt-in" feature that will allow our customers the ability to apply these homepage changes at their convenience.
On the 14th of November 2023 at 01:00 UTC, Fastly Engineering will remove the ERD (old) ports only in our Amsterdam (AMS) Point of Presence (POP) configuration that previously enabled the Azure Zero Rated Egress program. This is in response to an earlier reported change in Microsoft Azure’s Zero Rated Egress practices.
Our network availability and all other services are unaffected by this maintenance.
Additional Information:
Microsoft Azure made a change that affects Fastly’s program for Azure Zero Rated Egress for the AMS POP only and does not impact any other Fastly POP, requiring customers to make a change on their behalf by the 29th of August 2023, in the Microsoft Azure Portal, to retain zero rated egress between Microsoft Azure and Fastly.
On the 8th of August 2023, Fastly reached out to all customers with potential impact and asked that these customers verify their zero rated egress traffic was set with the proper preferences from their Microsoft Azure Billing tools.
Resources:
In late August 2023, Fastly Engineers became aware of a series of DDoS attacks against sites hosted by Fastly that employed the novel amplification mechanism described in CVE-2023-44487.
During these attacks, parts of our network experienced high volumes of traffic and customers may have seen intermittent slowness and elevated errors as a result.
In September 2023, Fastly deployed targeted mitigations which minimized the effectiveness of this type of attack, and deployed a series of improvements to our TLS termination engine that fully mitigates this and similar class of attacks on our network. As a result, CVE-2023-44487, reported on the 10th of October 2023, does not present any further risk to our network or our customers.
We are preparing a Fastly Blog post that will be shared on our https://www.fastly.com/blog site which will describe the actions Fastly took in more detail. Once the blog has been posted, we will share that link as an update to this status post.
Fastly Engineering identified an error in our NGWAF console email notification systems. Customers who may have requested password resets or anticipated email notification from our NGWAF console from Friday, the 8th of September 2023 at 17:37 UTC through to Monday, the 11th of September 2023 at 15:35 UTC may not have received the expected notification. This error has been corrected and customers will no longer experience impact.
If you attempt these actions, you should receive the expected email notification. If you have additional questions or concerns please engage our Support team through https://support.fastly.com. We apologize for this inconvenience and remain readily available to resolve any impact experienced as a result of this event.
Our Network availability and all other services and locations were unaffected by this event.
On Friday, the 1st of September 2023 a third party Security Researcher posted to social media that they had shared a possible vulnerability with Fastly and that we were delayed in responding to their security report.
Fastly Engineering has reviewed this report and identified minimal risk to Fastly customers, due to Fastly-specific architecture. In addition, our engineers have prepared and deployed a configuration update that has resolved any remaining possibility of an exploit.
This issue is resolved. Our investigation showed no evidence of any exploit of the vulnerability, and there are no further actions for our customers.
Fastly is currently investigating an issue with the billing system, including the billing portions of the Fastly configuration application and API.
Edge delivery, stats aggregation, and all other services are unaffected.
This issue has been identified and a fix is being implemented.
A fix has been implemented and we are monitoring the results.
This incident has been resolved. If customers have any questions about invoices or billing, please contact support@fastly.com or reach out to your account manager.
Vulnerability known as “Malformed HTTP/1.1 Request Causes Out Of Memory Error Within H2O Server With HTTP Backend (Zero Day)” (CVE-2023-30847).
Fastly is aware of a recently disclosed out of memory error vulnerability in H2O. Fastly has investigated the vulnerability to determine exploitability within our environment and interconnectivity with H2O systems.
At this time we have determined that our platform is not at risk to this vulnerability, but will continue to monitor the situation.
On the 9th of December 2022, Fastly began investigation into a novel attack vector recently demonstrated in a blog post by security researchers, Claroty’s Team82. It uses JSON functions within SQL injection (SQLi) payloads that may not currently be detected by our NextGen and Legacy WAF products. Since the publication of this new attack vector, our teams have been working to extend detections for Fastly WAF products. Our teams have released a new scoring rule for the Fastly Legacy 2020 WAF that customers may deploy at their convenience.
Our team plans to release initial updates for Next Gen WAF Edge deployments, and a new agent version, that address this novel form of SQL injection later today. CloudWAF instances will be updated shortly thereafter.
Fastly will not be releasing new rules to address this issue for pre-2020 Legacy WAF. Pre-2020 Legacy WAF customers may contact securitysupport@fastly.com for assistance upgrading to 2020 or Next-Gen WAF options.
We've improved our agent's SQLI detection to address this attack vector.
To take advantage of this improved detection you will need to upgrade your agents to version 4.36.1. Our documentation on how to upgrade your agents can be found here: https://docs.fastly.com/signalsciences/upgrading/upgrading-an-agent/
If you are using a Cloud WAF or Edge Deployment, our team is currently upgrading these agents to take advantage of this improved SQLI detection.
If you have any questions please reach out securitysupport@fastly.com
Fastly Next Generation WAF Edge deployments have now been updated to extend SQLI detections. No customer action is required to leverage these improvements.
Cloud WAF deployments have now been updated to extend SQLI detections.