General Updates
A significant update from Let’s Encrypt, one of our integrated Certification Authorities (CA), may affect how customers access your website. On June 6th, 2024, Let’s Encrypt end-users on very old devices or software may receive insecure warnings or be blocked from accessing your applications.
To protect your customer experience, we encourage you to confirm which CA you’re using. If it’s Lets Encrypt and serving this type of traffic is a hard requirement, consider changing your TLS subscription to Certainly.
Learn more about the change and how to confirm your CA here. Our customer support team is here to help if you have any additional questions. You can reach us at https://support.fastly.com.
We are dedicated to providing all our customers a secure and reliable online experience. We appreciate your attention to this matter and your continued trust in us. Thank you for your understanding and cooperation.
Fastly is improving login experiences across Fastly and Signal Sciences consoles to make it simpler and easier for you to access Fastly products and services using a single set of login credentials. Starting Q1 2024, we'll be implementing a new web interface as part of the upgraded login experience. A summary of the main changes appears below.
- Anticipated start date: 20th of February 2024
What's changing? What do I have to do?
You'll log in to Signal Sciences and Fastly accounts with a single set of credentials. Simplified login will allow you to use a single set of login credentials to access all products and features across Fastly's suite of offerings. If you have both Fastly and Signal Sciences accounts that use the same email address, you'll no longer need your Signal Sciences credentials. We'll also make sure to disable and purge your old credentials so they can't be used by accident.
Account linking will no longer be required. When the simplified login experience goes live, customers with both Fastly and Signal Sciences accounts will no longer need to manually link those accounts. Already have linked accounts? You won't need to do anything and can start using your Fastly credentials immediately.
Password changes and 2FA setup will happen in the Fastly console. Likewise, you'll be able to change passwords and set up two-factor authentication directly in the Fastly console for both Fastly and Signal Sciences accounts. This also means that you'll be able to switch between consoles seamlessly without having to log in again.
New passwords will be required to conform to NIST guidelines. Starting Q1 2024, complexity for new and changed passwords will be required to conform to digital identity guidelines from the National Institute of Standards and Technology (specifically, the NIST800-63B guidelines).
When choosing new passwords and updating existing ones, Fastly will require your passwords to:
- be at least 8 characters long
- be be no more than 72 characters long
- contain at least one letter and one number
In addition, new and changed passwords cannot solely contain:
- sequences of letters or numbers (e.g., 12345678, abcdefg)
- repeated characters (e.g., 222222, aaaaaa)
- adjacent key placements on a standard keyboard (e.g., QWERTY)
The system will specifically prevent you from choosing passwords that:
- match any of your four previous passwords
- match either your username or you email address
- match commonly used passwords (e.g., password123, changeme)
- use popular dictionary words in passwords of fewer than 16 characters (e.g., batterystaple)
Existing passwords won't be affected until you choose to update them.
Session timeouts will be standardized and more secure. To help you increase your security posture on the Fastly platform, starting Q1 2024 all users will be logged out after 30 minutes of inactivity. Session timeouts will also have a default maximum of 12 hours for any organization that hasn't set up single sign-on. If your session timeout was previously set to greater than 12 hours, it will be reduced to 12 hours, and any timeout setting less than 12 hours will remain as is. The minimum timeout for sessions will be 30 minutes.
What's next? What else do I need to know?
That's it! We'll send you another email reminder about these changes just before the launch.
Still have questions? Feel free to contact your account manager for additional details.
Fastly Engineers will be releasing our redesigned Fastly App Homepage on the 1st of November 2023.
When accessing our Fastly App at manage.fastly.com, customers will encounter a new user interface.
( Video Demo, 2023 Altitude Conference - Todd Nightingale, Fastly, Inc. CEO )
Fastly Engineers have performed numerous tests, both internally and externally with select enterprise support customers environments. We do not anticipate any performance impact to customer configuration management or API services from this planned release.
Our network availability, point of presence locations, and all other products and services will be unaffected by this release.
Fastly Support teams have received advanced demonstrations of this planned release and are readily available at https://support.fastly.com for any questions or concerns shared by Fastly customers.We have changed our release date of our redesigned Fastly App Homepage to the 15th of November 2023.
We have constructed an "opt-in" feature that will allow our customers the ability to apply these homepage changes at their convenience.
On the 14th of November 2023 at 01:00 UTC, Fastly Engineering will remove the ERD (old) ports only in our Amsterdam (AMS) Point of Presence (POP) configuration that previously enabled the Azure Zero Rated Egress program. This is in response to an earlier reported change in Microsoft Azure’s Zero Rated Egress practices.
Our network availability and all other services are unaffected by this maintenance.
Additional Information:
Microsoft Azure made a change that affects Fastly’s program for Azure Zero Rated Egress for the AMS POP only and does not impact any other Fastly POP, requiring customers to make a change on their behalf by the 29th of August 2023, in the Microsoft Azure Portal, to retain zero rated egress between Microsoft Azure and Fastly.
On the 8th of August 2023, Fastly reached out to all customers with potential impact and asked that these customers verify their zero rated egress traffic was set with the proper preferences from their Microsoft Azure Billing tools.
Resources:
In late August 2023, Fastly Engineers became aware of a series of DDoS attacks against sites hosted by Fastly that employed the novel amplification mechanism described in CVE-2023-44487.
During these attacks, parts of our network experienced high volumes of traffic and customers may have seen intermittent slowness and elevated errors as a result.
In September 2023, Fastly deployed targeted mitigations which minimized the effectiveness of this type of attack, and deployed a series of improvements to our TLS termination engine that fully mitigates this and similar class of attacks on our network. As a result, CVE-2023-44487, reported on the 10th of October 2023, does not present any further risk to our network or our customers.
We are preparing a Fastly Blog post that will be shared on our https://www.fastly.com/blog site which will describe the actions Fastly took in more detail. Once the blog has been posted, we will share that link as an update to this status post.
Fastly Engineering identified an error in our NGWAF console email notification systems. Customers who may have requested password resets or anticipated email notification from our NGWAF console from Friday, the 8th of September 2023 at 17:37 UTC through to Monday, the 11th of September 2023 at 15:35 UTC may not have received the expected notification. This error has been corrected and customers will no longer experience impact.
If you attempt these actions, you should receive the expected email notification. If you have additional questions or concerns please engage our Support team through https://support.fastly.com. We apologize for this inconvenience and remain readily available to resolve any impact experienced as a result of this event.
Our Network availability and all other services and locations were unaffected by this event.
On Friday, the 1st of September 2023 a third party Security Researcher posted to social media that they had shared a possible vulnerability with Fastly and that we were delayed in responding to their security report.
Fastly Engineering has reviewed this report and identified minimal risk to Fastly customers, due to Fastly-specific architecture. In addition, our engineers have prepared and deployed a configuration update that has resolved any remaining possibility of an exploit.
This issue is resolved. Our investigation showed no evidence of any exploit of the vulnerability, and there are no further actions for our customers.
Fastly is currently investigating an issue with the billing system, including the billing portions of the Fastly configuration application and API.
Edge delivery, stats aggregation, and all other services are unaffected.
This issue has been identified and a fix is being implemented.
A fix has been implemented and we are monitoring the results.
This incident has been resolved. If customers have any questions about invoices or billing, please contact support@fastly.com or reach out to your account manager.
Vulnerability known as “Malformed HTTP/1.1 Request Causes Out Of Memory Error Within H2O Server With HTTP Backend (Zero Day)” (CVE-2023-30847).
Fastly is aware of a recently disclosed out of memory error vulnerability in H2O. Fastly has investigated the vulnerability to determine exploitability within our environment and interconnectivity with H2O systems.
At this time we have determined that our platform is not at risk to this vulnerability, but will continue to monitor the situation.
On the 9th of December 2022, Fastly began investigation into a novel attack vector recently demonstrated in a blog post by security researchers, Claroty’s Team82. It uses JSON functions within SQL injection (SQLi) payloads that may not currently be detected by our NextGen and Legacy WAF products. Since the publication of this new attack vector, our teams have been working to extend detections for Fastly WAF products. Our teams have released a new scoring rule for the Fastly Legacy 2020 WAF that customers may deploy at their convenience.
Our team plans to release initial updates for Next Gen WAF Edge deployments, and a new agent version, that address this novel form of SQL injection later today. CloudWAF instances will be updated shortly thereafter.
Fastly will not be releasing new rules to address this issue for pre-2020 Legacy WAF. Pre-2020 Legacy WAF customers may contact securitysupport@fastly.com for assistance upgrading to 2020 or Next-Gen WAF options.
We've improved our agent's SQLI detection to address this attack vector.
To take advantage of this improved detection you will need to upgrade your agents to version 4.36.1. Our documentation on how to upgrade your agents can be found here: https://docs.fastly.com/signalsciences/upgrading/upgrading-an-agent/
If you are using a Cloud WAF or Edge Deployment, our team is currently upgrading these agents to take advantage of this improved SQLI detection.
If you have any questions please reach out securitysupport@fastly.com
Fastly Next Generation WAF Edge deployments have now been updated to extend SQLI detections. No customer action is required to leverage these improvements.
Cloud WAF deployments have now been updated to extend SQLI detections.