Release Notes

MetaDefender ICAP Server is now manageable on My OPSWAT / Central Management v8, offering complete control across all product functionalities:

• Workflow Rules
• Inventory (Server profiles and block pages configuration)
• Global Settings
• Data Retention

After enrollment, these settings will be locked on MetaDefender ICAP Server management console. To make changes, please go to the My OPSWAT/Central Management v8 console.

For My OPSWAT integration, a PIN code is required for any configuration changes of MetaDefender ICAP Server on My OPSWAT console.

MetaDefender ICAP Server now supports remote PostgreSQL database v15, in addition to the continued support for PostgreSQL v14.

Important: The product does not upgrade the customer's remote PostgreSQL version.

Note : The bundled PostgreSQL version remains at v12.20 in this release.

Upgraded third-party libraries for vulnerability fixes:

• OpenLDAP v2.5.17 (Windows)
• Libxml2 v2.12.9
• PostgreSQL v12.20

Front-end enhancements:

• Hardened the Strict Transport Security header (HSTS)
• Disabled auto-fill password on login page

Introduced new settings for the On-Premises License Management Server (OLMS) proxy.

For more details: Refer to the Docker run parameter documentation

• Supports proxy for On-Premises License Management Server (OLMS).

• Enhanced processing history UI to correlate with MetaDefender Core data IDs.

• Support for IdP-initiated SSO to sign in MetaDefender ICAP Server via the Identity Provider site

  • IdP-initiated SSO allows users to login to MetaDefender ICAP Server dashboard directly from the IdP homepage.
  • To enable this feature, configure the setting under the SSO User Directory page in the MetaDefender ICAP Server UI.

• Additional configuration options, more detail refer to Configuration file .

  • global/enable_no_content_scan_logging: When set to false, scans with the verdict "No Content To Scan" will not be logged in the database (default setting is true)
  • global/enable_preview_header: When set to false, the header "preview" and "Transfer-Preview" will be removed from the OPTIONS response (default setting istrue, used for integration with Software AG)
  • Refer to Configuration file for more details.

• New option to override the scan result when MetaDefender Core has insufficient disk space. This option is configurable per workflow in the Advanced Settings.

• Windows Server 2012: Microsoft has ended support for Windows Server 2012 as of October 2023. Reference
• Debian 9 has been unsupported since June 2022

MetaDefender ICAP Server version 5.6.0 will no longer support these OS versions. We recommend that customers migrate their systems to newer and supported versions of Windows Server.

For a list of currently supported Windows OS versions, refer to Operating Systems.

• Resolved a memory leak issue in version 5.5.1 when activated by OLMS.
• Fixed an issue that prevented connection to remote PostgreSQL v14 on Windows.
• Fixed an issue where the same internal PostgreSQL username was generated for MetaDefender Core when using the same remote PostgreSQL server.
• Fixed an issue causing the loss of processing history during upgrades on newer versions of Kubernetes (K8S)

In MetaDefender ICAP Server v5.5.0, users cannot create a new SML directory via the web UI.

• Workaround: Use the REST API to create the SAML directory.
• Impact: Existing SAML directories are not affected when upgrading to MetaDefender ICAP Server v5.5.0
• Resolution: This issue is resolved in MetaDefender ICAP Server v5.5.1 or newer.

MetaDefender ICAP Server 5.1.0 or newer may encounter stability issues on Red Hat /Cent OS systems running kernel version 372.

Solution: Red Hat has addressed this issues in the latest kernel version 425

In MetaDefender ICAP Server v5.1.0 or newer, OpenSSL 1.x has been replaced with OpenSSL 3.x within the product and other dependencies to enhance security and address vulnerabilities.

NGINX's OpenSSL 3.x on MetaDefender ICAP Server has the enforcement in place to reject all weak cipher suites. The web server only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to NGINX's OpenSSL 3.x enforcement.

MetaDefender ICAP Server v5.1.0 on Debian OS must execute the two following commands to enable TLS when connecting to MetaDefender Core.

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: This issue is fixed in MetaDefender ICAP Server v5.1.1