Description

An upgrade patch should be applied to your Web Isolation on premise environment urgently, as detailed below. If you are a web Isolation cloud customer, the patch is applied automatically for you and no action is required.

Background

Google Chrome team has recently published a secure-by-default configuration change which they intend to gradually push to Chrome 80 users starting February 2020. This new setting could break web functionality that relies on third-party cookies. This includes Web Isolation.

Link to Google publication: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Customer Impact

Major interruption to Chrome 80 users is expected to occur unless the below patch upgrade is applied.

Expected behavior without the required upgrade:

For environments with server authentication, users will not be able to login to Web Isolation service, prompted by an authentication error.
For all other environments, browser cookies will not be persistent. Users will not be able to login to some websites.

Required Customer Action – Upgrade patch needed for customers running version older than 1.13.951+780

We strongly advise you to actively follow the enclosed instructions to prevent the possibility of an outage.

Web Isolation patches are available for both version 1.12 and version 1.13 (older than 1.13.951+780).

Patch Requirements

Patches are available for the following versions:

• 1.13.938+533
• 1.13.949+666
• 1.12.8+163
• 1.12.15+252
• 1.12.16+289

To find out which version you are running, SSH to one of your Web Isolation machines and run this command:

fgcli system version

If the version you are running is not listed under the patch requirements, please consider upgrading to 1.13.951+780 or apply the temporary workaround mentioned below.

Note: The patch will restart several components automatically in your environment which could have an impact on your users. We recommend running the patch outside working hours.

Patch Upgrade Instructions

To apply the patch, please run these commands as the `fireglass` user on each Web Isolation machine. Please replace the <build-version> placeholder with the version you are running, as it appears in the list above.
 

cd /tmp/

fgcli fileserver download patch/10870/samesite.sh .

chmod +x ./samesite.sh

./samesite.sh <build-version>

Temporary workaround for customers who wish to delay the Web Isolation patch

If you do not wish to apply the patch, it is possible to revert Chrome 80 to the pre-Chrome 80 behavior. To do so, please follow Google instructions as published here.

Reporting Problems

If you have questions or concerns about applying this upgrade patch, or experience issues, please contact Technical Support.