IBM Security Network Protection 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010 README ======================================================================== Readme file for: IBM Security Network Protection Firmware 5.1.0 All-Models-Hotfix 0010 Product/Component Release: 5.1.0.0 Update Name: 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010 PatchID: 1924 Platforms: XGS Publication date: June 19, 2014 Last Modification date: June 19, 2014 Copyright IBM Corporation 2014. Read this document in its entirety. ======================================================================== CONTENTS ======================================================================== * Description * Compatibility and Prerequisites * Known Issues * Installation information * Files included in this update * Contacting IBM Support * Copyright and trademark ======================================================================== DESCRIPTION ======================================================================== NOTE: A reboot is required for the changes made by the fix pack to apply. Also, you should clear the browser cache on any browsers used to manage the appliance. Fixes the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470. Fixes the Java vulnerability CVE-2014-2414. Previous Fixes: * This Fix Pack fixes a vulnerability to CVE-2014-0963 that is caused by rapidly increasing CPU utilization due to the handling of certain SSL messages. * Authentication security improvement * Disabling protection ports prior to port pair for SSL inspection prevents any SSL inspection from occurring * mesa_eventsd did not get restarted after crashing * XGS appliance does not report up to SiteProtector when the firmware level is out of date * Fix Outbound SSL vulnerabilities to CVE-2014-0160 and CVE-2014-0076 * Fix Ruby vulnerabilities regarding CVE-2013-4164 and CVE-2013-4492. * Fix a possible LMI lockup when trying to display the Top Ten Events graph. * Update the appliance statistics collection process to prevent a crash when generating a support file. * Update the appliance SiteProtector communication process to properly inform SiteProtector of the health status of the space available on the root partition. * Update the appliance remote syslog event generator to prevent a crash when generating QRadar formatted events that have large name-value pairs. * Fix for enabling promiscuous mode for monitoring and HA mirror protection interfaces after an appliance reboot. * IPS events not always properly blocked when the packet triggering the IPS event matches multiple signatures with different responses. A reboot is necessary for this fix to apply after installing the fixpack. * Analysis engine aborts and does not restart when processing a NAP rule containing a network object which references a disabled adapter. A reboot is necessary for this fix to apply after installing the fixpack. * Added debug counters to trace events generated by the analysis engine. * When FW upgrading with file being pulled from update server, there is no indication of progress of install - screen appears to freeze. * No GRUB option for Hardware Diagnostics after upgrade to 5.1.1. * When filtering an IPS Policy using multiple boolean filters, the filters can behave unexpectedly and fail to work as intended by the user. It is necessary to clear your browser cache after this fix is applied. * Fix XSS Vulnerability in IBM Knowledge Center Local Edition. This is the documentation located on the appliance. * Fix a crash in the inspection process due to memory corruption. * Fix a crash in the inspection process due to a null pointer dereference. A reboot is necessary for this fix to apply after installing the fix pack. * Fix the matching of events generated over SSL MITM so that IPS objects other than the default IPS Object will match. * Fix LMI pages so that they will render correctly in Google Chrome v30. * Fix an issue that results in a Reset instead of Block page with SSL decryption and Web Apps. * Fix an issue that resulted in dropped TCP connections that had been established before packet processing was started. * Fix an issue where the XGS does not block exploit code contained in PDF documents transferred by means of HTTPS. * Fix a random resource leak in the analysis engine. * Fix an issue with the default IPS Policy not properly enabling the default IPS objects. * Fix a rare network packet buffer leak. * Fix an issue where the unanalyzed policy setting is not taken into account when flushing the packet queue. ======================================================================== COMPATIBILITY AND PREREQUISITES ======================================================================== This update is only compatible with the IBM Security Network Protection firmware 5.1.0. It can be applied on top of any previously installed fix pack. MD5 checksum calculation: - d6919b3464910912dbf2b0d8a1cdb4ba 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010.fixpack ======================================================================== KNOWN ISSUES ======================================================================== There are no known issues with this patch. ======================================================================== INSTALLATION INFORMATION ======================================================================== To apply fix pack through LMI 1) Go to Manage System Settings --> Updates and Licensing --> Fix Packs 2) Click +New 3) Browse for fix pack file: - 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010.fixpack 4) Click Save Configuration 5) Reboot Appliance and clear Browser cache on any browser used to manage appliance To apply fix pack through USB port of XGS 1) Copy fix pack file into a USB device: - 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010.fixpack 2) Connect USB device onto XGS in which you want to apply fix pack 3) ssh to XGS appliance - ssh admin@XXX.XXX.XXX.XXX 4) Type fix pack, press enter 5) Type install, press enter 6) Confirm USB device is inserted by typing YES and pressing enter ======================================================================== FILES INCLUDED IN THIS UPDATE ======================================================================== 5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010.zip | |--5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010.fixpack | | | |--5.1.0.0-ISS-XGS-All-Models-Hotfix-FP0010-Readme.txt ======================================================================== CONTACTING IBM SUPPORT ======================================================================== To Contact IBM Support Worldwide Phone: Call IBM Support by selecting phone number from this location: http://www.ibm.com/planetwide When prompted for type of support, select option 2 for Software Support You will need to provide your IBM Customer Number (ICN) Electronically: Go to http://www.ibm.com/legal/copytrade.shtml and open a new service request =========================================================================== COPYRIGHT AND TRADEMARK =========================================================================== Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Other company, product, or service names may be trademarks or service marks of others. *THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION* See the license agreement for this product for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components. ===========================================================================