IBM Security Network Protection 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004 README ======================================================================== Readme file for: IBM Security Network Protection Firmware 5.1.2.1 All-Models-Hotfix 0004 Product/Component Release: 5.1.2.1 Update Name: 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004 PatchID: 1969 Platforms: XGS Publication date: September 24, 2014 Last Modification date: September 24, 2014 Copyright IBM Corporation 2014. Read this document in its entirety. ======================================================================== CONTENTS ======================================================================== * Description * Compatibility and Prerequisites * Known Issues * Installation information * Files included in this update * Contacting IBM Support * Copyright and trademark ======================================================================== DESCRIPTION ======================================================================== NOTE: A reboot is required for the changes made by the fix pack to apply. It is also recommended that you clear the browser cache on any browsers used to manage the appliance. Corrects nss, nspr, openssh, and openssl security issues: openssl/openssh: CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508 CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2012-4929 nss/nspr: CVE-2013-1740 CVE-2014-1490 CVE-2014-1491 CVE-2014-1492 CVE-2014-1544 CVE-2014-1545 Previous Fixes: * Fix for web server vulnerability regarding CVE-2014-0963 * PAM XPU 34.070 (July 2014) breaks Domain Certificate Object matching in Network Access and SSL Inspection rules. * Update to hardware bypass to allow for continued operation of the bypass modules if an internal error occurs. Fixes the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470. Fixes the Java vulnerability CVE-2014-2414. Fixes a vulnerability to CVE-2014-0963 that is caused by rapidly increasing CPU utilization due to the handling of certain SSL messages. Authentication security improvement Disabling protection ports prior to port pair for SSL inspection prevents any SSL inspection from occurring mesa_eventsd did not get restarted after crashing XGS appliance does not report up to SiteProtector when the firmware level is out of date Fix Outbound SSL vulnerabilities to CVE-2014-0160 and CVE-2014-0076 Fix Ruby vulnerabilities regarding CVE-2013-4164 and CVE-2013-4492 Fix a possible LMI lockup when trying to display the Top Ten Events graph Update the appliance statistics collection process to prevent a crash when generating a support file Update the appliance SiteProtector communication process to properly inform SiteProtector of the health status of the space available on the root partition Update the appliance remote syslog event generator to prevent a crash when generating QRadar formatted events that have large name-value pairs Fix for enabling promiscuous mode for monitoring and HA mirror protection interfaces after an appliance reboot Fix for handling out of order tls records while processing a record fragment Fix ECDHE error messages TVT updates (post-GA) Fix for requesting licenses for in-use features from SiteProtector SiteProtector is showing as Unhealthy because SSL Inspection is not licensed when there are no SSL policies enabled ======================================================================== COMPATIBILITY AND PREREQUISITES ======================================================================== This update is only compatible with the IBM Security Network Protection firmware 5.1.2.1. It can be applied on top of any previously installed fix pack. MD5 checksum calculation: - 6202437179652c924dc7bce66ea8ef27 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004.fixpack ======================================================================== KNOWN ISSUES ======================================================================== There are no known issues with this patch. ======================================================================== INSTALLATION INFORMATION ======================================================================== To apply fix pack through LMI 1) Go to Manage System Settings --> Updates and Licensing --> Fix Packs 2) Click +New 3) Browse for fix pack file: - 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004.fixpack 4) Click Save Configuration 5) Reboot Appliance and clear Browser cache on any browser used to manage appliance To apply fix pack through USB port of XGS 1) Copy fix pack file into a USB device: - 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004.fixpack 2) Connect USB device onto XGS in which you want to apply fix pack 3) ssh to XGS appliance - ssh admin@XXX.XXX.XXX.XXX 4) Type fixpacks, press enter 5) Type install, press enter 6) Confirm USB device is inserted by typing YES and pressing enter ======================================================================== FILES INCLUDED IN THIS UPDATE ======================================================================== 5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004.zip | |--5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004.fixpack | | | |--5.1.2.1-ISS-XGS-All-Models-Hotfix-FP0004-Readme.txt ======================================================================== CONTACTING IBM SUPPORT ======================================================================== To Contact IBM Support Worldwide Phone: Call IBM Support by selecting phone number from this location: http://www.ibm.com/planetwide When prompted for type of support, select option 2 for Software Support You will need to provide your IBM Customer Number (ICN) Electronically: Go to http://www.ibm.com/legal/copytrade.shtml and open a new service request =========================================================================== COPYRIGHT AND TRADEMARK =========================================================================== Copyright and trademark information http://www.ibm.com/legal/copytrade.shtml Notices INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Other company, product, or service names may be trademarks or service marks of others. *THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION* See the license agreement for this product for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions: * the Excluded Components are provided on an "AS IS" basis * IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * IBM will not be liable to you or indemnify you for any claims related to the Excluded Components * IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components. ===========================================================================