sh_8.6.2
DESCRIPTION
sh_8.6.2TRANSCRIPT
RIVERBED PRODUCT RELEASE NOTES PRODUCT: STEELHEAD APPLIANCE
RELEASE DATE: DECEMBER 24, 2014
RIOS VERSION: 8.6.2
CONTENTS
1) Supported Steelhead Models
2) New Features in RiOS 8.6.2
3) New Features in RiOS 8.6.1
4) New Features in RiOS 8.6.0
5) Fixed Problems
6) Known Issues
7) Upgrading the RiOS Software version
8) CMC compatibility
9) Hardware and Software dependencies
10) Contacting Riverbed Support
1) SUPPORTED STEELHEAD MODELS RiOS 8.6.2 supports CXx55, CXxx55, x50, xx50, CX570 and CX770 models. Important: RiOS 8.6.2 does not support Riverbed xx20 models.
2) NEW FEATURES IN RIOS 8.6.2 This section provides an overview of the new features available in RiOS v8.6.2.
Full-Transparency with Enhanced Auto-Discovery Enhancement
Improved the enhanced auto-discovery protocol, when used with full-transparency. After the connection between Steelheads has been established and data packets addressed to the server side Steelhead are generated, the client side Steelhead will check that the full-transparency in-path rule is present.
Improved SDR-Adaptive Functionality
Improved SDR-Adaptive functionality to monitor CPU usage in addition to disk load.
3) NEW FEATURES IN RIOS 8.6.1 This section provides an overview of the new features available in RiOS v8.6.1.
New Appliance Models
RiOS v8.6.1 supports the Series CX570 and CX770 appliances.
Baseboard Management Controller (BMC)
The Steelhead CX570 and CX770 models include Baseboard Management Controller (BMC) support. The BMC monitors the physical state of the appliance and tracks system and network watchdogs, error logs, and sensors. The sensors of a BMC measure internal physical variables such as temperature, power settings, and fan speeds trigger alerts for activity detected outside specified limits. For more information, see the Upgrade and Maintenance Guide.
Enhanced Product Diagnostics and Usage Reporting
A single encrypted HTTPS connection will be opened from each managed device periodically delivering anonymized information to secure servers located at usage.comms.riverbed.com:443. In addition, a periodic DNS request will be directed to a dynamically-generated host ending in updates.riverbed.com. To disable reporting of product health and usage information, issue the commands no debug uptimereport enable and no debug health-report enable. Riverbed cares about privacy and data security. For more information, see http://www.riverbed.com/legal/privacy-policy
UI Current Connection Report Enhancement
Added the ability to filter based on connections for a specific Path Selection path name by entering the name into a "matching regular expression" filter.
CLI command reports GRE paths egress statistics
The show in-path gre-egress-tbl command reports GRE sources along with the number of packets and bytes received from those senders.
2
4) NEW FEATURES IN RIOS 8.6.0 This section provides an overview of the new features available in RiOS v8.6.0. For details, see the Steelhead Appliance Management Console User’s Guide, the Steelhead Appliance Deployment Guide - Protocols, the Steelhead Appliance Deployment Guide, and the Riverbed Command-Line Interface Reference Manual.
Path Selection Enhancements
Includes support for these features: Multiple and single firewalled paths using GRE tunneled paths. You can now create direct tunneled paths to steer traffic over any path that traverses a stateful firewall between the serverside Steelhead appliance and the client-side Steelhead appliance. Firewalled deployments using the Application Flow Engine (AFE) to identify and steer traffic flows. Symmetric and asymmetric traffic flows.
New SharePoint Optimization Diagnostic Reporting
Provides cache hit rates and and totals for these SharePoint extensions: Web Distributed Authoring and Versioning (WebDAV) – HTTP/1.1 extension. The local Steelhead appliance proxies transactions, fetching information ahead of time to serve data locally. For example, for directory browsing, the Steelhead appliances fetch structures of subdirectories, caching them for faster response to the client. FrontPage Server Extensions (FPSE), which enables the client application to display the contents of a Web site as a file system.
SSL Common Name Support for the AFE
Improves SSL application classification efficiency by allowing wildcards in SSL common name identification.
New Current Connection Details
Provides more information on QoS classes, applications, and outbound QoS marking for individual connections.
Over 350 Additional Applications in the AFE
Includes significant additions to the number of popular applications recognized by the AFE. The AFE enhancements further classify the various Microsoft Lync workloads. Lync a multi-
3
featured communications suite that goes across many protocols. The AFE covers the majority of the traffic generated between Lync clients and servers. The AFE greatly eases the process of identifying applications in Steelhead appliances. For a complete list of recognized applications, see the Steelhead Appliance Management Console User’s Guide. Authentication Scaling and Load Balancing for Secure Protocol Optimization Improves the number of applications per second and availability of domain authentication operations. The improvements meet the requirements of high-load environments for encrypted MAPI and signed-SMB traffic to load balance across multiple domain controllers. They also improve handling in environments where the domain controllers are not local to the server-side Steelhead appliance; for example, the domain controllers in Microsoft Office 365 data centers. For details, see the Riverbed Command-Line Interface Reference Manual.
MAPI and eMAPI Over IPv6 Optimization
Provides latency optimization for MAPI and eMAPI over IPv6. Authentication is over IPv4 only. Communication to the domain controller is over IPv4 only. HTTP Optimization Improvements Removes the 1 MB bypass limit for Steelhead appliances running RiOS v8.6. The limit is still in effect for a Steelhead appliance peered with a Steelhead appliance running RiOS v8.5.x and earlier. The HTTP cache limit is still 1 MB.
• RiOS now allows caching of HTTP Vary headers when encoding is set to None. Combine with strip compression to improve the cache hits. Added diagnostics for stream splitting.
Improved RiOS Data Store Encryption Performance
Includes several methods to alleviate lock contention, improving encrypted data store throughput and latency.
New System Administrator Role
Includes permission for all other RBM roles and permission to perform appliance administration, minimizing the need to assign an administrator role that grants full read-write access to all areas of the appliance. For details, see the Riverbed Command-Line Interface Reference Manual.
4
SSL Transport Layer Security (TLS) Support
Enhances security on the inner and outer SSL channels between the client-side and server-side Steelhead appliances. Support includes the TLS version 1.1 and 1.2 encryption protocol. For details, see the Riverbed Command-Line Interface Reference Manual.
5) FIXED PROBLEMS
Problems fixed in version 8.6.2
• 123997 Fixed an issue where disk alarm is triggered after a raid element fails.
• 138588 Removed generating linklocal IPv6 address for interfaces with MTU value lower than 1280. This is to avoid the kernel error message "No buffer space available", since IPv6 requires MTU on an interface to be at least 1280.
• 144119 RiOS software switches transparently from hardware to software compression when an error is detected on the SDR accelerator card. This enhancement ensures that the optimization service resumes compression with the SDR accelerator card after a fixed timeout period (6 minutes), thus helping recover full functionality in the case of transient errors like memory pressure. If the error is determined to not be transient (10 or more failures in a 2-hour period), the service switches entirely to software compression.
• 150658 Fixed an issue where the optimization service could crash if an optimized Outlook Anywhere connection is closed while is it processing HTTP request or response headers.
• 151040 Fixed a race condition during delegation configuration to avoid process restart
• 153082 Fixed an issue that caused crash of optimization service at Smb2::ClientParser::process_TreeDisconnectResponse(). The crash was due to an attempt to update metadata in an unoptimized node during Tree Disconnect operation. The crash is likely to occur in Smb2::ClientParser::process_SessionLogoffResponse() as well due to similar attempts made during Sessons Logoff operation. The fix adds checks to avoid updating metadata in unoptimized nodes.
5
• 158834 Fixed an issue with Notes Encryption Optimization where the server-side Steelhead fails to forward traffic to the unencrypted server port. This occurred in the following conditions: 1) Enhanced Auto-Discover (EAD) disabled 2) Fixed target rules between Steelhead appliances 3) Probe-caching enabled This can result in the encrypted Notes connections not being optimized. In this case you will see a log message like the following: [notesencr2sfe.NOTICE] 1 {x.x.x.x:x y.y.y.y:1352} Server is requesting encryption on port 1352 and therefore cannot be optimized. This connection will be passed through. Note from the log that port 1352 was used even though Steelhead was configured to send traffic to unencrypted port 1353.
• 159262 Hardware watchdog timed out during lookup of a connection in a corrupted connection table. The corruption was caused because of lingering closed connections in the connection table. The fix gracefully removes closed connections from connection table thus avoiding corruption.
• 162336 Fixed a rare timing-related issue where the optimization would shut down if the SSL Secure Peering handshake completes at the same time as an optimized encrypted Lotus Notes connection is being torn down. After the fix the Lotus Notes Encryption Optimization blade checks to see if the connection is being terminated before it processes messages from the SSL Secure Peering blade.
• 162553 Fixed the communication between the ESX Cloud SteelHeads and the Cloud Portal. The absence of this secondary communication resulted in the appliance not showing up against the license on the Cloud Portal.
• 163276 Fixed the handling of empty kerberos request packets on HTTP connection.
• 163476 Fixed a leak of file descriptors in the winbindd process that can result in protocol errors for new Signed SMB or encrypted MAPI connections
• 164034 Fixed an issue where optimized bandwidth limits were not enforced on MxTCP connections.
• 164421 Corrected code logic specific to http HEAD request that was improperly blocking data.
• 164812 The optimization service will now close the MAPI connection if an error condition is encountered during optimization, allowing Outlook to gracefully recover.
• 165611 Fixed the memory allocation failure that caused InPath interfaces to stay offline after a software upgrade. The failure resulted from the increase in memory usage of the system during a software upgrade.
• 165671 Fixed an issue where the 'image fetch' command would fail if the disk drive containing the /var directory was replaced.
• 166355 Fixed a kernel crash that may occur because of incoming out-of-order fragmented TCP packets when the QoS and/or Path Selection feature is enabled.
6
• 166967 The service crash following a service restart after a SDR Card failure has been fixed.
• 166977 Fixed an issue that caused sysdump collection to get stuck when TACACS+ per-command authorization is configured. This can occur if the "admin" account is not authorized by the TACACS+ server to execute the "exit" command in the CLI. During sysdump collection the CLI is launched multiple times internally, and if it cannot exit from the CLI, the collection cannot complete.
• 167210 Fixed memory leak in DC discovery locator process.
• 173665 Increased the memory admission control values so that they are adequate to support the maximum prescribed load for SteelHead models 770L and 770M.
• 187833 Fixed a memory leak in RiOS kernel that may occur in the client-side SteelHead in rare conditions where a client is opening a very large number of short-lived connections and the optimized connection setup between SteelHeads fails.
• 187862 The Qosd memory leak was fixed and no leaks have been seen with this release.
• 191370 Fixed an issue where invalid login requests can result in MAPI blacklist entries. Outlook can send an invalid login request and this resulted in a MAPI blacklist entry on the server-side Steelhead. With this change such a blacklist entry is only made on the 2nd invalid login request on a MAPI connection. This will allow a recovery and successful login by Outlook on the second attempt.
• 191761 Fixed an issue that results in failure of directory synchronization using ViceVersa software when CIFS optimization is enabled. Certain find requests on folder content were not forwarded to the server, causing the client to eventually close the connection.
• 191775 Fixed an issue where the byte count reported by the CLI command, "show in-path gre-egress tbl", included the GRE header of each packet that egress GRE tunnels.
• 191792 Fixed the issue where when AppVis is enabled and DSCP-marking is not enabled, the inner channel for Citrix packets were incorrectly marked with the 0x3F DSCP value.
• 192346 Fixed an issue that caused an error to be reported when non correct mode IPv6 addresses are entered in the delegation lists (delegate-all, delegate-all-except)
• 193744 GeoDNS for SH SaaS is used to locate the closest SteelHead against the destination Exchange-online (Office 365) server. This feature was disabled by default before RiOS 8.6.2. The feature has now been enabled by default. The feature should not be disabled under normal circumstances.
• 194051 Fixed an optimization service crash that can occur when an optimized MAPI connection opens a second MAPI protocol context, but the connection has previously encountered an optimization error.
7
• 195020 Upgrade Apache httpd 2.4 to 2.4.10 and 2.2 to 2.2.28 (or 2.2.27 with patches) for CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, CVE-2014-0231 Details ------- CVE-2014-0117: mod_proxy: DoS attack against a reverse proxy via a crafted HTTP Connection header. CVE-2014-0118: mod_deflate: DoS via highly compressed crafted request message body. CVE-2014-0231: mod_cgid: DoS against CGI script due to lack to timeout. CVE-2014-0226: mod_status: Heap overflow denial of service attack. Note that RiOS is not impacted by CVE-2014-0226 as it does not include the affected mod_status module. Fix --- Upgraded Apache on RiOS 8.0 and higher, to fix multiple Denial of Service issues. Recommendation - Upgrade to patched version if applicable
• 197894 Fixed an issue to show IP's specified in'protocol domain-auth delegation rule dlg-only' command show up in the 'show running config' command output.
• 200048 When SDR adaptive is enabled (either Legacy or Advanced), use sustained CPU pressure as an alternate trigger to send resource pressure messages to a peer steelhead.
• 200449 Fixed a problem that caused an assertion failure when optimizing encrypted Lotus Notes connections. At the point of crash the following log message was seen on the server side SteelHead: [assert.CRIT] - {- -} ASSERTION FAILED (lock_->held_by_me()) at /builddir/build/BUILD/sport-0.1/rbt/iocore/action.cc:50. The stack trace pointed to an assertion failure in the event system code: #2 0x0... in assert_failure(char const*, char const*, char const*, int) () #3 0x0... assert_failure(char const*, char const*, int) () #4 0x0... in ActionInternal::is_cancelled() const () #5 0x0... in NetIOChannel::handle_event(EventSource, EventType, void*, void*) () #6 0x0... in EventThread::process_pollfds(int) () #7 0x0... in EventThread::run() () The crash happened because our optimization service was performing read/write operations on an aborted TCP connection between the server side SteelHead and the Lotus Notes server.
8
• 200896 CVE-2014-3535: Linux kernel Vxlan NULL pointer deference flaw Details ------- CVE-2014-3535: The Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface. Fix --- Patched the Linux kernel to fix CVE-2014-3535 Recommendation - Upgrade to patched version if applicable.
• 204080 Fixed a problem with Discovery Agent and agent-intercept mode optimization on long network paths with many hops. Auto-discovery could have failed (leading to passthrough connections) due to auto-discovery packets not reaching the client side SteelHead. The TTL on auto-discovery packets were being reused from the previous packet on the flow, causing the TTL to reach zero faster than the actual number of hops the packet traverses.
• 204870 Enhanced the error message logged when optimization service cannot be enabled if none of the in-path interfaces have an IPv4 address configured.
• 205495 Fixed an issue where messages like the following may show up in the logs, and CLI and WebUI access becomes slow or unresponsive. [mgmtd.NOTICE]: Waited [x] secs for [query request], Bindings (1 of 1):{/hw/hal/ipmi/query/allevents,N/A,N/A} This was usually caused by large numbers of SEL entries where requesting them can be slow. Existing SEL entries are now cached in RiOS and only new entries need be retrieved through IPMI.
9
• 205665 Upgrade to openssl 1.0.1j/1.0.0o to patch openssl security vulnerabilities (libs used by sport) Details ------- The OpenSSL security advisory https://www.openssl.org/news/secadv_20141015.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3566: Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Fix --- OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20141015. Recommendation - Upgrade to patched version if applicable.
10
• 205667 Upgrade OpenSSL to 1.0.1j for security advisory "secadv_20141015": CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568195020 Details ------- This update addresses the following issues: CVE-2014-3566 (POODLE attack): The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. CVE-2014-3567 (Session ticket memory leak): A flaw in the session ticket integrity check mechanism allows an attacker to cause a denial of service attack by sending a large number of invalid session tickets. CVE-2014-3568 (Incomplete no-ssl3 build option): When OpenSSL is configured with "no-ssl3" as a build option, the option was effectively ignored, and SSL 3.0 was still allowed. Fix --- OpenSSL has been updated to address CVE-2014-3566, CVE-2014-3567 and CVE-2014-3568. This update also includes a fix for CVE-2014-3513, though RiOS is not impacted by it. Recommendation - Upgrade to patched version if applicable
• 205746 Fixed an issue where a memory leak could occur in the mgmtd process when loading a Steelhead current connection report with more than 500 optimized connections. This memory leak issue has been resolved in this bug.
• 205927 CVE-2014-3660: libxml2: denial of service via recursive entity expansion Details ------- Libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. Fix --- Upgraded libxml2 package to address CVE-2014-3660. Recommendation - Upgrade to patched version if applicable
11
Problems fixed in version 8.6.1b
• 154841 Fixed an issue where non-ascii usernames can result in the Domain Communication alarm being raised for Signed-SMB or Encrypted MAPI connections.
• 193347 CVE-2014-0191, CVE-2013-2877: Libxml2 security update RHSA-2014:0513-1 DETAILS ------- CVE-2014-0191: It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. CVE-2013-2877: An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. FIX --- Upgraded libxml2 to fix security vulnerabilities CVE-2014-0191 and CVE-2013-2877. RECOMMENDATION - Upgrade to patched version if applicable.
• 196534 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory "secadv_20140806" (CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 and others) DETAILS ------- The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
12
CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. FIX --- OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20140806. RECOMMENDATION - Upgrade to patched version if applicable.
• 196537 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory "secadv_20140806" - Sport Side DETAILS ------- The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. FIX --- OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20140806. RECOMMENDATION - Upgrade to patched version if applicable.
13
• 197047 Krb5 1.9 security update for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4344 DETAILS ------- This security update addresses the following issues: CVE-2014-4341: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. CVE-2014-4342: MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. CVE-2014-4344: MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. FIX --- Krb5 has been patched for CVE-2014-4341, CVE-2014-4342, CVE-2014-4344. RECOMMENDATION - Upgrade to patched version if applicable.
• 200367 glibc security update for CVE-2014-5119 and CVE-2014-0475 DETAILS ------- CVE-2014-5119: Off-by-one error in the GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. CVE-2014-0475: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.
14
FIX --- Glibc packages updated to fix CVE-2014-5119 and CVE-2014-0475 RECOMMENDATION - Upgrade to patched version if applicable.
Problems fixed in version 8.6.1a
• 202898 CVE-2014-6271, CVE-2014-7169: Bash Code Injection Vulnerability via Specially Crafted Environment Variables DETAILS ------- CVE-2014-6271: A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. CVE-2014-7169: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. Please refer to this knowledge base article for detailed information on the impact of this vulnerability on Riverbed products and services: https://supportkb.riverbed.com/support/index?page=content&id=S24997 FIX --- The Bash component was updated in Riverbed products and services to fix the "ShellShock" vulnerability (CVE-2014-6271, CVE-2014-7169) As a part of this update, the following related issues were also fixed: CVE-2014-6277 CVE-2014-6278 CVE-2014-7186 CVE-2014-7187 Recommendation - Upgrade to the appropriate patched versions of software as listed in the above KB article.
15
Problems fixed in version 8.6.1
• 77755 This bug fix helps the optimization service gracefully recover when a corruption is detected in the index by repairing the data structures that form part of the index. This recovery occurs transparently without triggering a service crash, connection drops, or loss of data integrity.
• 94089 The Common Name field on a Certificate Signing Request should include the local hostname for full browser compatibility. The Web user interface now shows a warning when the hostname is not included in the Common Name.
• 129100 Fixed an optimization device failure that would occur along with messages similar to "watcher: One or more threads not responding after at least [x]s; unhealthy threads follow"
• 146046 With inbound QoS enabled, a SteelHead under moderate load might enter into a busy wait loop. In some rare cases, this culminated with a reboot triggered by the hardware watchdog. Inbound QoS has been modified to limit processing too many packets in a single pass. This modification prevents the watchdog from timing out and causing a reboot.
• 147174 Enhanced NetFlow flow records to indicate to CascadeFlow collectors that the SteelHead interface data exported may have been incorrect in virtual in-path deployment or when Path Selection was enabled.
• 147363 Fixed an issue that resulted in a crash of the rcud process during high CPU and disk load on the SteelHead. During high CPU and disk load spikes, the period of time available for the rcud process to recover from an unhealthy state was short. This period has now been increased to allow the rcud process to recover when the appliance enters high CPU or disk load state.
• 148619 Fixed a severe SSL CPS performance degradation issue when the FIPS mode was enabled on the SteelHead. The performance degradation was due to heavy use of certain FIPS locks used by OpenSSL. The fix avoids read operations on FIPS locks to improve performance safely.
• 149216 Fixed an issue where opening a continuous log window could prevent a user's Web session from timing out. Timeout would occur after the inactivity delay set in Web Settings or five minutes after the main window or tab was closed, whichever came first.
• 151996 For Path Selection, the outputs for the show connection and show flow commands now mark paths used for the inner connection pool with –an asterisk (*) to help differentiate those paths from the paths that were used for the queried connection.
• 154088 This bug fixes a crash in RiOS resulting from compression failure of a specific data pattern. The failure was caused due to incorrect sizing of the output buffer. This fix makes sure the output buffer is big enough to handle such scenarios.
16
• 154381 Fixed an issue where a closing TCP connection that was simultaneously opened by the SteelHead and any other device in the network would result in a RiOS kernel crash. The fix gracefully handles this condition by initializing the TCP connection state to the correct value to prevent service disruption.
• 155336 Fixed an issue where the disk space for logs became full after collecting Application Visibility statistics. The system now dynamically scales back Application Visibility granularity thresholds when low disk space is detected.
• 155940 HTTP latency optimization was bypassed on large chunk encoded transfers, by design, with the intent that large transfers would not benefit from latency optimization. This limit has been removed as it has been found to inhibit beneficial optimizations on subsequent transactions.
• 156182 Fixed a potential but unlikely issue where the system shutdown could take more than 20 minutes.
• 158787 Fixed an issue where a CX570 or CX770 Steelhead would display errors in the syslog, such as the following, which do not impact operation and can be ignored: Feb 10 00:00:39 sv-sh99 hald[7665]: [hald.INFO]: hald_handle_query_request(), hald_main.c:631, build (null): No handler for bnode /hw/hal/raid/disk/0/disk_wear Feb 14 11:32:05 sv-sh99 hald[7707]: [hald.NOTICE]: RAID MOD: No need to initialize. Old model detected these warnings have been removed from the CX 570 and CX 770 models, as they do not use RAID.
• 159136 Fixed a statistics accounting issue where bytes sent or received were erroneously accounted multiple times towards a single port.
• 159419 Enabled multiple hardware queues for 10 G interfaces in order to improve the performance for QoS marking and Path Selection. This fix works only when QoS shaping is disabled.
• 159811 Fixed an issue where the domain-health test widgets were not honoring encrypted LDAP settings on domain controllers resulting in test widget failures.
• 160271 Fixed an issue where our LDAP library was not being complied with SASL support needed for encrypted ldap support for the auto-delegation and password replication policy features.
• 162474 Fixed an optimization service crash when an optimized Outlook Anywhere connection was closed immediately after opening.
• 162513 Fixed an issue where in certain rare cases, the SteelHead could report a "Needs Attention" status even though the condition that caused it had cleared. The "Needs Attention" status now clears appropriately.
• 162543 Fixed an issue where the alarm indicating IPv6 incompatibility between connection forwarding neighbors did not clear after the neighbors disconnected.
• 162723 Fixed a memory leak in the statistics gathering subsystem that can result in “paging activity too high” alarms after several months.
17
• 163298 The memory limit of the QoS process qosd was removed so that it no longer crashes when its memory usage hits 500MB.
• 163324 Added a new alarm in RiOS that is triggered if Path Selection probe responses arrive at a WAN interface that is different from the WAN interface on which the probe requests were sent.
• 163505 Fixed a problem that resulted in the log message "[cli.ERR]: user monitor: No response from HAL for uses_hardware_wdt" occurring when a nonadministrative user logged in. This problem did not cause any functional issues.
• 163925 Three SMB3 port descriptions were corrected on the Monitored Ports configuration page of the Web UI. The descriptions were corrected for ports 8781, 8782, and 8783 to SMB3, SMB3 Signed, and SMB3 Encrypted, respectively.
• 164014 Enhanced error notification to explain that configuring Path Selection channels on a SteelHead that is not peered with an Interceptor is not supported.
• 164133 Access to SOAP API's was not available in 8.6.0. With the fix, SOAP API's should now be accessible.
• 164188 Fixed the httpd settings to prevent the "No slotmem from mod_heartmonitor" message that was intermittently seen in the httpd logs.
• 164191 Enhanced Path Selection probing logic to drop probe requests that ricochet through the SteelHead. This change helps in detecting paths as being down in cases where a downstream router may reroute probe requests and such packets ricochet through the SteelHead.
• 164382 The CX570, CX770, and SMC platforms do not support the CLI command no remote password. "Operation is not supported in the given platform" is now printed on the console if the user enters this command.
• 164384 Fixed an issue where Path Selection information for a connection was not visible in the UI "Current Connections" report.
• 164503 Corrected a problem where the order of the incoming data was corrupted after the client TCP connection was reset. This problem was leading to an internal crash; however, no corrupt data was ever sent to the client or server.
• 164561 The Web user interface now supports key lengths of 3072 and 4096 for generating CA certificates. This change provides parity with the command-line interface, which introduced these key lengths in version 8.6.0. The key size is no longer allowed to be 512.
• 164805 Fixed an issue in the RiOS kernel that could result in a kernel panic while adding a VLAN tag to an unoptimized packet during path selection.
18
• 164837 Fixed an issue that resulted in Windows clients failing to connect to a share on Windows 2012R1 Server with update KB2934016 installed. The fix corrects the size of the metadata prefetch request issued by the client-side SteelHead. This size is calculated based on the server's maximum transaction size. Increasing the maximum transaction size to 8 MB by Windows update KB2934016 exposed a bug in the computation of the prefetch request size.
• 165077 Modified the data store configuration file for the CX770L and CX770M models to change the data store size from 100 GB to 150 GB. Upgrading to an image containing the fix will result in a size change. Please note that this resizing operation will clean the data store.
• 165212 Fixed an issue related to a collectord crash under high disk load.
• 165262 Enhanced the logic that maintains the state for optimized connections in the RiOS kernel to prevent referencing stale data that may have resulted in a kernel panic.
• 165343 Fixed a crash of the SteelHead optimization service when the Server Certificate Chain Discovery feature was enabled on the server-side SteelHead. The process crashed due to a NULL pointer dereference. The fix involved introducing NULL pointer checks.
• 165828 Fixed an issue where VLAN tags were stripped when the packets went through an ESX-based Virtual SteelHead. This issue affected both optimized and passthrough traffic.
• 166647 Decreased the number of syslog messages printed by MAPI optimization so only one of those messages is logged for each optimized MAPI connection.
• 191836 Fixed an issue where the SSL peering trust between SteelHeads would not establish due to certain SCEP servers rejecting the CSRs generated by SteelHeads. OpenSSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to use UTF8String, and this has been been reverted to PrintableString.
• 192177 Fixed an issue where renewing the SSL peering trust between SteelHeads failed due to certain SCEP servers that rejected the CSRs generated by SteelHeads. OpenSSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to use UTF8String, and this has been reverted to PrintableString.
19
• 192199 Fixed a problem that caused a crash in the optimization service when the Citrix protocol optimization component parsed the start of a Citrix connection. The stack contained these function calls: #0 0x... in IcaContext::basic_decrypt(Citrix::ByteBuffer*, bool) () #1 0x... in UiDriver::UiDriver(AbstractDriver::DriverHeader const&, BufReader*, bool*) () #2 0x... in AbstractDriver::create_driver(AbstractDriver::DriverHeader const&, BufReader*, std::basic_string<char, std::char_traits<char>, std::allocator<char> >*) () #3 0x... in DriverInitResponse::DriverInitResponse(unsigned char, unsigned short, bool, BufReader*, bool*) () #4 0x... in Citrix::DriverStack::parse() () ... The crash happened while parsing a Citrix client packet at the start of the connection. These messages were observed in the system logs immediately before the crash: ... [/citrix/cfe/DriverStack INFO] {<client_ip>:<client_port> <server_ip>:1494|2598} Parsed driver at index QQ
Problems fixed in version 8.6.0a
• 130193 Fixed an issue where an interface would lose link after upgrading to 8.6.0, if the interface speed and duplex was configured for 100 full (without using auto-negotiation) on both the Steelhead and the connected router or switch. The fix will only apply a configuration that is supported by the interface. Workaround: Set both the SteelHead interface and switch to use auto negotiation before upgrading to 8.6.0. After performed the upgrade, change the setting back to speed 100 full duplex.
• 153178 Application Visibility process collectord crash has been fixed. The crash was due to memory exhaustion during high load.
• 165027 IIS is sometimes responding with 401 authentication responses while an HTTP POST request is still sending data. This triggers a connection level bypass, and potentially a crash on the SFE due to a defect in the bypass functionality introduced in 8.5.0.
• 165217 Fixed the Steelhead's Client Authentication support feature to allow bypassing the connection when the ECDHE-RSA cipher suite was chosen.
• 165253 The fix prevented the SteelHead from crashing and correctly handled connections to TCP server port 7840.
• 165657 Fixed a problem where automatic emails were sent from 32-bit appliances indicating /usr/lib64/sa/sa1 and /usr/lib64/sa/sa2 were missing. These commands were used to collect system activity data which was used in system debugging. This problem did not impact normal system operation.
20
• 165705 Fixed a memory leak issue that resulted in high memory utilization on the SteelHead. The issue could have resulted in admission control, optimization service crash at alloc(), or general slowness. The issue was due to a memory leak while handling SMB2 read responses when 'end of file' information was invalid. Now only if MAPI or NSPI were enabled would those connections have received the corresponding latency optimization.
• 165809 The optimization service would create an optimized MAPI connection for every TCP connection to a server TCP port 7830 even if the MAPI feature was disabled. The optimization service would create an optimized NSPI connection for every TCP connection to a server TCP port 7840. Now only if MAPI or NSPI were enabled would those connections have received the corresponding latency optimization.
• 166984 The fix was to program the interface to do the correct link negotiation based on the interface setting.
• 168159 CVE-2014-0224: OpenSSL weak keying MITM vulnerability
DETAILS ------- OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not properly restrict processing of ChangeCipherSpec messages, which allowed man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijacked sessions or obtained sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
FIX --- Upgraded OpenSSL as used by the Steelhead optimization service process to 1.0.1h (or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. Note: This patch also addressed the following security bugs that DID NOT affect RiOS:
DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470)
• 168163 CVE-2014-0224: OpenSSL weak keying MITM vulnerability
DETAILS ------- OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not properly restrict processing of ChangeCipherSpec messages, which allowed man-in-the-middle attackers to trigger use of a zero-length master key in certain
21
OpenSSL-to-OpenSSL communications, and consequently hijacked sessions or obtained sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. FIX --- Upgraded OpenSSL was used by device management to 1.0.1h (or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. This patch also addressed the following security bugs that did not affect RiOS: DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470)
Problems fixed in version 8.6.0
• 59875 Fixed issue where VLAN-tagged frames belonging to VLAN ID zero were dropped. In an in-path setup, all passthrough traffic tagged with VLAN 0 now will go through. All Steelhead-destined traffic tagged with VLAN 0 will still be explicitly dropped to keep the same behavior as before.
• 62550 Browser cookies could be assigned an HTTP-only flag, which prevented them from being accessed by scripts. Setting the flag prevented cross-site scripting (XSS) attacks targeting the user's session cookie. See:
• https://www.owasp.org/index.php/HttpOnly http://cwe.mitre.org/data/definitions/79.html
• To fix this, the Steelhead now uses the HTTP-only flag.
• 67594 Fixed scenarios where the Data channel was not sent to the DPI engine resulting in inconsistent classification behavior. This fix ensured that both Control and Data channels were chained correctly to the DPI engine.
• 74013 Fixed a problem where setting up an optimized connection failed due to using a broken inner pool connection. When the optimization service attempted to send data over the broken connection, it would get an error and destroy the optimized connection. This fix monitored pool connections for socket errors and removed them from the pool upon detecting an error.
• 74266 When using encrypted MAPI, Outlook Anywhere and Smartcards to provide client authentication, Outlook may use the SCHANNEL authentication protocol (auth type 14), which was not supported with RiOS 8.5.0.
• 76017 This was fixed by replacing escape characters with spaces. With this fix special characters like \n will not be shown as #012.
22
• 77601 Inadvertent WARN level messages from [sslinnerchan/CliClosed.WARN] and [sslinnerchan/SrvClosed.WARN] with the message Shutting down the splice: unexpected message corresponded to benign activity that occurred when SSL secure inner channel was used for non-SSL traffic. The messages have been removed.
• 78637 The CLI support show ether-relay now correctly reports entries of all relay devices.
• 90698 Fixed an issue which resulted in crash of server-side optimization service when Smb2 blade's read-ahead was enabled. The crash was due to an update to read-ahead window issued by client-side Steelhead when there was no read-ahead handle on the server-side Steelhead. The fix gracefully handles this situation by stopping just the application level (layer 7) optimization only on the connection that experiences this issue.
• 95504 Removed the 1 megabyte HTTP response bypass limit so that a larger response no longer triggers optimization bypass as long as both Steelheads are running 8.6.0 or later.
• 99396 Fixed an issue that viewing Alarm Status page may encounter item unexpectedly already existing errors when an IPMI alarm was triggered.
• 108661 Old implementation of EPM blade could not handle NDR64 transfer syntax and to prevent client and server from using NDR64, it nulled out NDR64 transfer syntax during EPM bind, but some clients and servers did not like this and closed the connection resulting in disruption of service. The EPM blade has been rewritten from scratch to parse and handle different kind of transfer syntaxes, for example NDR32 and NDR64, and now it lets the client and server use NDR64 and correctly handles NDR64 traffic.
• 109501 Currently, the RBM user roles are ignored for Steelhead Cloud Accelerator features. RBM users with DENY permissions in all roles are allowed access to Steelhead Cloud Accelerator UI pages and Steelhead Cloud Accelerator commands.
• 113802 Fixed a problem where a lock was not properly being released in the Citrix optimization blade. This would result in other threads being blocked while trying to acquire the lock, which would eventually cause the watchdog timer to detect the threads as unhealthy and temporarily put the optimization service in bypass.
• 120103 All Outlook Anywhere connections from a client computer needed to be optimized by the same set of client- and server-side Steelheads. If multiple client-side Steelheads are deployed in a cluster, the Interceptor is automatically configured to reliably select the same client-side Steelhead for subsequent Outlook Anywhere connections from a given client.
• 120746 Fixed an issue that resulted in out-of-memory condition on the client-side Steelhead leading to a crash. The issue was due to buffering of write requests during NFS write-behind optimization. Buffering of write requests has now been made configurable. The issue was resolved by disabling it by running the below CLI command on the client-side Steelhead:
23
• no protocol nfs buffer-wrt-reqs enable
Note: Client-side and server-side Steelheads must be running on RiOS 7.0 or later releases, with the client-side Steelhead containing this fix. Codec flow control must be enabled on both the Steelheads for the fix to be effective. Codec flow control is enabled by default. If it is disabled, it can be enabled with: sport codec flow-control enable.
• 121070 Fixed an issue where link state of primary interface was not properly reported on a Virtual Steelhead. This could result in failures of activities depending on the link state, such as applying QoS to primary interface.
• 122882 Fixed an issue where IPv4 addresses were sometimes incorrectly formatted in log messages. Some log messages prepended ::ffff: to the IPv4 address, e.g. ::ffff:10.0.0.1. With the fix, IPv4 addresses are displayed in the x.x.x.x dotted quad notation.
• 124033 Object Prefetch and Stream Splitting feature code was updated to cache responses containing "Vary: Accept-Encoding", if no Content-Encoding is present in the response.
• 125506 Enhancement to reduce IP TTL value of passthrough packets when such packets are steered by path selection. This behavior was enabled by default and can be toggled using the following CLI command: '[no] path-selection settings ttl-decrement enable'
• 126135 Fixed an issue where certain SMART query triggered a bug in a SSD with certain versions of firmware, resulting in the Steelhead storage controller getting into a FAULT state and the appliance becoming unresponsive. The fix works around the problem by monitoring the state of storage adapter and hard-resetting the adapter if it is stuck in the FAULT state.
• 127119 Added a mechanism to stop uploads of diagnostic files in progress. The file upload stop command is now available to stop an in-progress upload.
• 127332 The file <type> upload <file name> command can now be used without additional parameters to upload to the Riverbed support site. An additional parameter may be given to specify a Riverbed support case number or (to get the old behavior) a URL to upload to instead of the Riverbed support site.
• 127721 When a URL without a trailing slash is used to upload dumps to a directory (rather than a file in a directory) on the server, the upload now has an error indicated in show uploads.
• 128149 Fixed a Linux kernel jiffies overflow problem on 32-bit Steelhead which might have led to a kernel crash when Inbound QoS was enabled.
• 129534 This fix restores the original behavior of the upgrade script.
24
• 130281 Fixed an issue that resulted in optimization service crash on the client-side Steelhead at sunrpc::ServerCacheList::add_extent(). Fix involves corrections in handling of failure of names encode and decode operations.
• 130630 Corrected incorrect memory usage calculation for HTTP optimization that led to new responses not being cached, and improved OPT caching policy.
• 130991 Fixed an issue that prevented RBM users and the monitor user from logging into the CLI. The permissions on the mfdb file were set incorrectly, preventing these users from reading the file during login, so login failed.
• 133206 Removed the restriction that an interface must be up and connected in order to configure the WAN link rate and enable QoS on it. If the interface is down, an alarm is raised indicating that the WAN bandwidth is greater than the detected link rate.
• 134683 Fixed an issue that affected file access on NetApp ONTAP 8.1.2+ cluster-mode filer due to timeouts. Fix involves handling of unchained responses to a single chained request on the server-side Steelhead.
• 135268 This bug fixes the mdadm crash issue when reassembling raid disks where one raid element is missing.
• 135671 Fixed an issue where 'show running-config' command was displaying the mask length for snmp-server command with / prefix, which is not allowed anymore.
• 135942 This fixed a bug in the decoder that triggered an optimization service crash when handling corrupt packets. The fix ensures that sport gracefully handles corrupt packets by attempting recovery and closing the connection if recovery fails.
• 136288 Added checks to avoid accessing invalid information that could cause the optimization service crashes.
• 136892 Fixed an issue where packets of passthrough flows not subjected to path selection and were fragmented if they were larger than the in-path interface MTU. The issue existed only when Path Selection is enabled.
• 137215 Fixed an issue where some disk failures were not handled properly, the failed disk was not offlined, and caused the disk continue to be accessed, and resulted in performance and stability issues, as well as logs like: kernel: Info fld=0x23, Current sdh: sense key Medium Error kernel: Additional sense: Unrecovered read error
• 137589 The fix improves the connection information retrieval.
• 137696 Fixed an issue where with 8.0.x software, a certain load was not evenly distributed among the available cores on models with an SDR card (7050M, 7055M/H), and might trigger CPU utilization alarms under certain traffic conditions.
• 138208 Strengthened security around Riverbed customer support diagnostic access.
25
• 138278 Fixed an issue that resulted in crash of client-side optimization service in Smb2 blade. The crash occurred when LeaseBreakNotification on a connection did not acquire proper lock before updating lease state on another connection to which the lease belonged.
• 138418 Fixed an issue by removing un-needed access to disk file that checks for the current log level, thereby avoid blocking on disk I/O when the system is under heavy load.
• 138610 Fixed an issue where an encrypted Outlook Administrator account could fail to connect to Exchange when Steelhead MAPI multi-context support was enabled. Steelheads now properly optimize these connections.
• 138773 Fixed an issue where a Citrix user reconnecting to a session using Session Reliability saw the reconnect hang when MultiPort optimization was in use. The user might have seen a stalled progress bar and the message Connection in progress and the client-side Steelhead appliance might have showed a protocol error indicating misconfiguration of inner SSL. This issue was caused by interference of inter-Steelhead packets for Citrix MultiPort optimization and inner SSL optimization. The issue was resolved by delaying the Citrix MultiPort inter-Steelhead packet until the inner SSL setup is complete.
• 139239 Fix to ensure that DNS lookups do not happen on every request to discover the Key Distribution Center. Once discovered, the Steelhead now use the cached value, thereby reducing the overall number of DNS requests.
• 139311 Fixed the formatting of the reports from 'show connections' and 'show flows' CLI commands to make them consistent with each other.
• 139798 Fixed a database corruption triggered by a configuration switch.
• 139973 Fixed a problem where the optimization process would not stop despite encountering an irrecoverable error. When an irrecoverable error was detected, the optimization process was supposed to stop itself and pass through connections. For certain errors involving the inpath interfaces, failing to stop the optimization process would cause traffic to be blackholed. With this fix, the optimization process stops, raises an alarm, and passes through all connections.
• 139999 Reporting has been made consistent.
• 140087 The active-active sync feature did not check for memory pressure when replicating traffic and only relied on the read/write disk pressure mechanism. However the disk pressure mechanism is enabled only when sdr-a-a is enabled. In turn if the disk I/O becomes unresponsive and sdr-a-a is disabled, the active-active sync feature can overflow the system with read/write disk requests to a point where the Steelhead runs out of memory.
26
• 140186 Fixed the interpretation of Citrix Client Drive Mapped file transfer packets from a Citrix server to a Citrix client that could result in a file corruption. This occurred when certain kinds of files were transferred from the Citrix server to the Citrix client during an optimized Citrix session with CDM latency optimization turned on.
• 140269 Upgrade to 8.5.0 release disables Skipware Legacy Compression as a default behavior.
• 140532 The interrupt vector assignment algorithm has been changed to avoid assigning interrupts being used by RSP.
• 140542 Fixed an issue that caused ICMP fragments to be dropped in a WCCP deployment.
• 140743 Fixed an issue where the optimization service aborted because of packet corruption on the TCP connection between Steelheads causing zero length esc packets. This fixed a crash in the optimization service resulting from packet corruption on the WAN. In particular, this fix addresses the case where the packet length was incorrectly set to 0. The fix helps avoid the crash, and ensures that the affected connection is terminated gracefully.
• 140790 Fixed an issue where Steelhead Mobile clients optimizing connections to multiple interfaces on the same server-side Steelhead would fail to optimize connections on certain interfaces but not others. The Steelhead Mobile client would create an out-of-band connection for each interface on the server-side Steelhead, but the server-side Steelhead would fail to find the correct out-of-band connection for all but the first interface on which it received a connection. When the server-side Steelhead failed to find the out-of-band connection, it would attempt to initiate an out-of-band connection with the Steelhead Mobile client. Steelhead Mobile clients were unable to accept connections, so no connections would be optimized over the problematic interfaces. The same issue can occur on client-side Steelheads that are behind a NAT device.
• 140940 CVE-2013-1944: cURL cookie stealing vulnerability in tailmatch. DETAILS ------- The tailMatch function in cURL and libcurl before 7.30.0 did not properly match the path domain when sending cookies, which allowed remote attackers to steal cookies via a matching suffix in the domain of a URL.
FIX --- The curl package has been upgraded.
• 141017 Fixed an issue where transfer of file stalled when Smb2 optimization was enabled. The fix was to handle a case correctly when server could respond with status pending for notify request in a chain of Smb2 requests.
27
• 141024 Fixed a bug where the Steelhead incorrectly assumed high memory pressure and throttled the traffic.
• 141276 Fixed a problem where a counting error on the server-side Steelhead appliance during optimized Citrix Client Drive Mapping transfers from the client to the server could cause memory corruption which frequently caused a failure of the optimization service. This error occurred with file sizes that are 1 to 11 bytes larger than an even multiple of 4096 bytes.
• 141368 The client-side optimization service could crash during MAPI pre-population. This crash was observed if MAPI pre-population was started on a connection, when the MAPI connection has not been fully set up prior to pre-population.
• 141432 User inputs were escaped before returning it to the web client.
• 141467 Fixed a problem where a Steelhead responded to its own auto-discovery probe in rare cases where the probe packet was sent back to it from a connection forwarding neighbor.
• 141793 Fixed an issue where optimization of SaaS connections through Steelhead Cloud Accelerator (SCA) would not work if the TCP probe option configuration was set to any value other than its default of 76. In direct-branch SCA mode, the Steelhead can continue to use the non-default probe TCP option value to peer with other customer Steelheads and it also peers properly with SCA Steelheads. In backhauled mode, the fix only works if the Branch Steelhead and Datacenter Steelhead use the same non-default probe TCP option.
• 141892 There is an INFO level message generated for each HTTP connection that indicates what optimizations are configured. Previously this was indicated by a binary flag value and has been updated to readable text.
• 141980 CWE 400: A Fix was added to close an unbounded resource consumption vulnerability. DETAILS
-------
It was possible to control the image dimensions for the optimized throughput graph generated by the application.
FIX
---
Limits were placed on the dimensions of the image to prevent exhaustion of resources.
• 142434 Provides more details in the log when the error deflate failed: -2 stream error occurs while using the SDR accelerator card. This information may be helpful to diagnose failures of the SDR accelerator card.
• 142473 The fix adds the port number to the OPT cache key. This ensures that data from different servers on the same host are differentiated.
28
• 143118 With fix, the Steelhead advertises correct number of IPv6 addresses to connection forwarding neighbors.
• 143202 Fixed a rare issue where a Steelhead could experience poor performance and log an error that included the text maybe_reset_inpath_interfaces after an upgrade.
• 143378 Cleaned up the old web certificates which prevented any future certificate generation and importation.
• 143386 Fixed an issue that caused intermittent issues during file opens. The issue occurs when an application, especially Microsoft Office, opens a file without acquiring the necessary Oplock.
• 143422 Addressed the handling of "show packet-mode" command that leads to CLI crash in debug mode.
• 143569 Fixed a rare condition where the optimization service failed when scaling to more than 100K connections. Improved handling of multiple connections that share the same data and that led to high CPU followed by a crash because the Steelhead detected some loop condition.
• 143790 Fixed problem where PFS/RCU may fail on 32 bit platforms.
• 143807 Fixed the issue where no warning was given before shutting down for hardware spec upgrade. A warning has been added now, and a 'confirm' flag is needed to complete the action.
• 144064 Fixed a problem with Citrix client mapped drive optimization where duplicate requests for the same file offset were ignored which could lead to incorrect data being delivered to the Citrix server. A log message like the following may indicate that this problem has been experienced: [/citrix/sfe/parser WARN] {10.11.0.207:49935 10.11.141.63:1494} S Req: 03 00 14 00 00 e0 02 00 00 10 .. tail: 14 2a is a duplicate REQ
• 144134 Fixed a kernel panic that could occur in a virtual in-path deployment and when RSP was enabled if RiOS generates fragmented packets. This would more likely happen when packet-mode optimization was in use and fragmented packets were transported though other cases involving fragmented packets going out of the in-path interfaces could trigger the issue, too.
• 144144 Fixed an issue where Encrypted-MAPI or Signed SMB connections could get blocked when using Kerberos and the KRB5KDC_ERR_POLICY error was seen. Fixed an issue where KRB5KDC_ERR_POLICY could result in connections getting blocked for Encrypted-MAPI or Signed-SMB. The fix results in a connection being blacklisted instead.
• 144217 The optimization service could crash if the first two Outlook Anywhere connections were optimized within a very close timespan.
• 144300 Added support for DPI classification of Microsoft Lync traffic in QoS and Path Selection rules.
29
• 144397 Fixed an issue that occurred when CITRIX blade was enabled and QoS disabled. The issue caused packets belonging to a CITRIX connection, and carrying a non-null CITRIX ICA priority tag, to be marked with the ECN field in the IP header set to CE (binary 11 or Congestion Experienced). This could result in the packets being dropped by an intermediate device in the network.
• 144470 Fixed an issue where the CLI command 'reset factory keep-mgmt-ip reload' would cause the box to reload with the messages An internal error occurred and the system would fail to respond. The Steelhead now successfully reloads with factory configuration keeping mgmt ip intact. The CLI starts up with the initial wizard.
• 144472 Updated the Mouse-over help texts for authentication types for SMB, SMB2/3 and MAPI.
• 144491 This fix corrects an issue where the CLI show interfaces command did not display all the interfaces after another interface (e.g. mgmt0_0) was disabled.
• 144568 When a QoS rule is configured to classify Citrix ICA traffic based on per-packet ICA priority values, misclassification may occur if the ICA rule is moved from the 1st position in the rule list.
• 144793 CVE-2013-1950: libtirpc rpcbind remote denial of service. DETAILS ------- The svc_dg_getargs function in libtirpc version 0.2.3 and earlier, allowed remote attackers to cause a denial of service (rpcbind crash) via a crafted request. Note: This issue is not applicable to Steelhead versions 7.0 and lower
FIX --- This issue has been fixed by patching libtirpc for CVE-2013-1950.
• 144796 Fix is to unlearn the invalidated URL so that the Steelhead does not repeatedly drop connections to the base page.
• 144856 Fixed an issue that ensured temporary credential caches got destroyed correctly to prevent Kerberos Tickets from leaking in delegation mode when performing cross domain delegation.
• 145027 Fixed a minor issue that would result in Unexpected NULL error messages reported in the logs and that did not impact any functionality.
• 145194 This fix disallows to add recursive IPv6 routes and default gateways for in-path interfaces.
• 145211 Fixed an issue where the LAN interface MAC address instead of the WAN one could be used as the source MAC address for the outbound packets when the Steelhead was in virtual in-path mode.
• 145214 A race condition with Kerberos authentication against Windows Server 2008 R2 with password replication policy enabled was fixed.
30
• 145368 With the fix, the CMC Appliance Details page can list all the RiOS 8.5.0 systems.
• 145593 Fixed an issue where the minimum key size of 630bit for Lotus Notes Encryption optimization was not being enforced. Optimized Lotus Notes connections where the client or server has a key smaller than 630bit were being dropped.
• 145605 On the Site Edit pane in Basic QoS setup, changed the DSCP select list for QoP paths from Inherit from Application to Inherit from Site to provide more clarity.
31
• 145611 The issue here was that if a server side steelhead received too many SYN packets for a client server connection through a client side steelehad, the server side steelhead might run out of memory, which causes the OOM memory manager to kill sport, the main Steelhead process. This fix addresses this issue by limiting the number of connection a server side steelhead will try to optimize when flooded with SYN packets. This feature is disabled by default. to enable it, use the following command: in-path conn-hard-limit auto enables probe splice limits, and configures it automatically based on connection threshold and admission control limits. in-path conn-hard-limit disabled disable probe splice limits show in-path conn-hard-limit state see the set value as seen by intercept. This command is preferred over the one specified below. show in-path conn-hard-limit config see the set value in the config db. This is in case the sysctl and config db go out of sync for any reason.
• 145834 In Basic QoS mode, do not let the sum of site bandwidths exceed the configured WAN bandwidth.
• 145858 In a serial cluster optimizing IPv6 traffic using enhanced auto discovery, if we run into admission control on the first steelhead, its possible that the second steelhead, which is supposed to take over the optimization duties, might experience an optimization service crash.
• The issue exists because of the way we were handling WAN visibility mode settings on middle Steelheads (Its independent of what WAN visibility mode is set in the inpath rule).
• 145884 CVE-2013-4854: BIND malformed RDATA remote Denial of Service (DoS). DETAILS ------- The RFC 5011 implementation in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allowed remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that was not properly handled during construction of a log message.
FIX --- BIND was upgraded to 9.9.3-P2.
• 146050 Fixed a bug where excessive amounts of memory are allocated when transferring large files via Citrix Client Drive Mapping. This could result in out of memory conditions which could lead to crashes of the optimization service.
• 146220 Improved the performance of deleting multiple QoS classes from the GUI.
32
• 146237 Optimization process will no longer crash when this scenario occurs during active MAPI acceleration.
• 146316 The protocol connection * suite of CLI commands is expanded to accept both ipv4 and ipv6 addresses. These changes could facilitate the fixed target IPv6 inpath rules and single ended optimization with IPv6 use cases.
• 146370 Fixed an issue in RiOS 8.5.0 where when an interface is connected but QoS shaping is not enabled on that interface, a QoS configuration update causes the following log message: QoS: writing tc commmands to stdin err Broken pipe.
• 146624 Resolved a multi-threading issue with the SSL connection bypass table.
• 146796 CVE-2013-2249: Apache HTTP mod_session_dbd module unsafe save operations. DETAILS ------- mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeded with save operations for a session without considering the dirty flag and the requirement for a new session ID, which had unspecified impact and remote attack vectors. FIX --- The Apache httpd daemon was upgraded to 2.4.6 and unused modules on the Steelhead were removed.
• 146853 Fixed an issue with the RTT calculation logic in RiOS that caused incorrect and extremely large values to be exported in Netflow records for connections that use transparent mode for inner connections.
• 147162 Fixed the counter overflow problem on 32 bit platforms that prevented simplified routing entries update.
• 147302 Applied a fix, such that after a hardware upgrade the QoS bandwidth limits are automatically updated and a reboot is not required for them to take effect.
• 147466 On the Current Connections page, in a given connection's detail pane, there is a new Path Selection table, which appears when Path Selection has been used by the given connection. Named paths have magnifying glass icons that, when clicked, show further details for that path.
• 147495 This change extends the range of disks recognized by the vSH on Hyper-V.
33
• 147685 CWE-79: Cross Site Scripting (XSS) Vulnerability on the EX platform's software upgrade page. DETAILS ------ Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate, filter, or encode user input before returning it to another user’s web client. FIX --- Fixed an XSS vulnerability on the EX platform's Software Upgrade page
• 147765 Fixed insufficient memory error for small 32bit boxes. For models 250,550,555,755, the machine might show an error saying Insufficient memory to sustain current model. Also, show hardware licensing info showed a DIMM with size 128MB or unbranded. This is fixed by upgrading to a newer version of the BIOS.
• 147895 Fixed an issue where the message No nic configuration file found will appear too frequently. This message no longer appears at the INFO level and only appears at the DEBUG level.
• 147949 Fixed the issue where the optimization service could crash when Steelhead entered Admission Control and had optimized MAPI connections. This was specific to the admission control handling of MAPI connections if special handling of MAPI connections under Admission Control was enabled.
• 148017 CVE-2013-4238: Python ssl.match_hostname man in the middle arbitrary server certificate spoof attack. DETAILS ------- The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 did not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allowed man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. FIX --- Upgraded Python 2.6 RPM with patch for CVE-2013-4238.
• 148135 Replaced certain verbose HTTP 500 errors with generic ones.
• 148200 Forms submitted using a GET method instead of the standard POST -- for example, through bookmarking of a carefully crafted URL -- could result in race conditions, denial of service and security check bypass. Web UI forms can now only be submitted with the POST method.
• 148238 This fix hides TCP Congestion Algorithm and outer channel IP address for SHM connections since there is no WAN section and outer channel IP address for the connections between SteelHead Mobile and Client Side SteelHead.
34
• 148660 Fix was made to properly classify DPI applications that rely on the port map in the DPI library.
• 148816 Fixed a Cipher suite ... is not supported. log message so that the unsupported cipher suite is correctly printed.
• 148943 Enabled decrementing time-to-live (TTL) for such packets by default.
• 148964 CWE-79: Cross Site Scripting (XSS) Vulnerability in management UI log display page. DETAILS ------- Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate, filter, or encode user input before returning it to another user’s web client.
FIX --- Values returned in the UI log display page are escaped.
• 149174 Fixed parsing logic to correct the statistics reported by CLI command 'show
path-selection paths stats'.
• 149549 Fixed memory leaks in the management process.
• 149892 Fixed a regression in RiOS 8.5.0 where the Filter by: Regular Expression filter criterion for Current Connection was no longer available.
• 149904 Fixed an issue with the QoS feature that did not work on the AWS Cloud
Steelhead. Previously, when configuring QoS, an error saying that the primary link is not up or that the link speed is lower than the configured wan link rate would show up. This did not affect ESX Cloud SteelHead.
• 149926 Fixed problem where web rest-server enable caused the web server to stop
responding.
• 150222 Fixed an issue with the handling of small requests and responses for optimized exchange traffic.
• 150257 Removed RiOS internal state information from the output of the CLI command 'show path-selection path * state'.
• 150258 This fix addresses a page allocation failure with backtraces which may have been seen when a sysdump was initiated. This issue was due to large memory allocation attempts while displaying tcp socket details using networking tools like netstat -al. This happened only when the Steelhead had lots of fragmented memory.
35
• 150358 The issue arose because internal tables on the Steelhead which store the per-flow direction value were not updated correctly. This has been addressed and with the fix, the value of the biFlow direction for each flow is consistent through the lifetime of the flow.
• 150401 Fixed the logic that causes the following error message to be logged when
there is no functional impact while executing the CLI command 'show path-selection path * state': [mgmtd.ERR]: Failed parsing paths config proc entry
• 150449 Fixed a problem in validation of the SSL proxy certificate against the host
name presented in the SNI. This validation would erroneously fail if the proxy certificate used wildcard characters. A specific example would be a bypass for www.google.com if the proxy certificate contained *.google.com Code was updated to correctly handle such wildcards.
• 150483 Fixed a problem where emails reporting /bin/sh: /usr/lib/sa/sa1: No such file or directory may be sent from 32-bit appliances running RiOS 8.5.0.
• 150592 Fixed an issue where anonymous logons for CIFS-SIGNED connections are now correctly handled in NTLM-Delegation mode as opposed to getting blacklisted.
• 150669 Fixed an issue that caused PFS local mode shares created pre-7.0.0 inaccessible when RiOS is upgraded to 8.5.0.
• 150743 When upgrading to RiOS 8.6.0, we scan the QoS configuration, detect the corrupted QoS configuration and fix it automatically.
• 150957 Fixed an issue with the http optimization service which was dropping the beginning part of request data if bypass condition was hit when parsing the http headers split in more than one tcp frame.
• 151006 The fix gracefully handles the Outlook user reconnect and MAPI pre-population session close.
• 151073 The fix in RiOS kernel gracefully handles the rare condition to prevent service disruption.
• 151146 Due to a complex coding issue there are times when the Citrix DSCP markings are incorrect. These issues are now resolved.
• 151160 Implemented DSCP transparency feature to preserve the DSCP value from end-hosts to all outer and inner connection packets when full-transparency mode is used. Server and probe caching features must be disabled.
36
• 151284 A component required for QoS was missing in the Hyper-V interface driver. This caused the QoS t always be disabled on Virtual Steelhead for Hyper-V. This fix now adds in that component.
• 151418 Fixed the SSL optimization module selection logic.
• 151461 Fixed a problem where log messages stating [ping/client.ERR] 0 {- -} Error reading from socket Unknown error were printed when handling a premature end-of-stream TCP socket error. The TCP socket error is now handled correctly, and the log message states that an end-of-stream error occurred.
• 151633 The fix is to do a complete cleanup of specific data structures involved in the Find operation in Sport when a SMB2 Find Operation is cancelled by the client.
• 151682 Fixed an issue which caused client side optimization service to crash when smb2 optimization was enabled and a request inside smb2 compound request was cancelled by the client. The fix is to appropriately handle the state of request upon being cancelled and not treat it incorrectly as a pre-acknowledged request.
• 151873 This fix adds SaaS platform name for pass-through connections which go through Akamai when SaaS is supported and enabled. IN CLI, User can see the SaaS platform name in the show connection details report.
• 151875 The fix ensures that the state in the Steelhead required to intercept the proxied MAPI connections is not lost unexpectedly.
• 151920 Fixed a problem that caused a crash while processing HTTP requests using chunked transfer encoding, if the CRLF following the chunk length and the chunk length were split in two different tcp packets.
• 151943 Code has been corrected to properly generate the required ICMP fragmentation needed when a packet is dropped due to inpath MTU setting.
• 152046 Fixed an issue where the passthrough reason reported for failed terminated connections from Granite is misleading.
• 152250 On the Steelhead with double interception, there are maybe two connections with same source IP, source port, destination IP and destination port. This fix adds support to display these connections together in CLI.
• 152280 This fix temporarily removes SMB2 Find prefetches on encountering a compound request containing a Create request and an unsupported find request.
• 152447 This fix treats report settings as non-configuration changes so that they are not reported as configuration changes and no SNMP trap is generated.
• 152628 Fixed a bug that caused the console dump process to repeatedly display the same outdated message localhost kernel: con_dump: restoring oops message, timestamp=... after a machine reboot
37
• 152667 Fixed an issue that resulted in performance issues with CIFS clients. Microsoft Office applications were particularly vulnerable for slowness. The issue occurred when the server was NetApp ONTAP 8.x C-mode, only for releases prior to 8.2P3. Process to identify if a slowness issue is due to this bug: if the below wireshark filter applied on server-side Steelhead LAN trace shows one or more packets, then it's a match for this bug: (smb.cmd==36) && !(smb.flags2.string == 1) && (smb.lock.type.oplock_release == 1) && (tcp.dstport == 445 or tcp.dstport == 139)
• 152793 CVE-2010-5107: OpenSSHv6.1 fixed time limit connection slot exhaustion DoS.
DETAILS ------- The default configuration of OpenSSH through 6.1 enforced a fixed time limit between establishing a TCP connection and completing a login, which made it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. FIX --- To reduce the risk of denial of service attacks described in CVE-2010-5107, added MaxStartups 10:30:100 to sshd_config file, and patched OpenSSH to have that be the default. This enables random early drop as described in the sshd_config man page.
• 152827 Resolved the issue that triggered the admission control in SH due to memory pressure. Previously, certain requests cached by the MAPI connection tracker were only cleared when all the connections between a particular client-server pair terminated. As a result, in certain environments, this was leading to an increased memory usage, and hence high memory pressure. With the current fix, the per association group cleanup is done, as soon as all the connections belonging to that particular association group have terminated, thus relieving memory pressure.
• 152861 Fixed an issue which caused server side optimization service to crash when Smb2 optimization was enabled and an interim Notify response came from server before rest of the chained responses. The interim response was held back at SFE causing failure in processing rest of the chain responses. The fix is to let the interim response reach the client and have the rest of chained responses sent to the client when complete chain is received.
• 152903 Fixed a memory corruption issue in CIFS blade that caused crash of optimization service. The crash stack dump lists CodecHandle::~CodecHandle().
• 152965 Fixed an issue where the Steelhead might crash when Steelhead Cloud Accelerator was optimizing O365 outlook client connections. The crash might occur on a heavily-loaded Steelhead due to an invalid pointer access triggered by a new Outlook optimized connection creation.
38
• 153086 The optimization service crash was seen because the http module was trying to cleanup some internal state which was already cleaned when we received end of connection from the server. Now if the http module receives any message from the server after the end of connection we drop the connection
• 153113 Fixed an issue where continuous logging hung up the UI when too many requests were active at the same time.
• 153148 Resolved a service crash that could occur in rare cases after an HTTP request parse failure on the server side Steelhead. This was due to an unexpected HTTP request that was supposed to result in a connection drop, but due to a bug in the error message formatting, it resulted in a crash.
• 153272 Fixed an issue where O365 webmail connections through Steelhead Cloud Accelerator might fail when Steelhead and Interceptor were deployed on the client-side. This issue occurred when Steelhead tried to apply cloud acceleration to connections that were RiOS passthrough, which was its default behavior.
• 153328 Correctly handle Kerberos Authentication Protocol requests without an authenticator subkey to prevent a potential sport crash while performing kerberos decryption.
• 153424 New feature: A new sys_admin RBM role allows users full administration access, including changing users and RBM permissions without being logged in as Admin. The feature provides better control and auditing of users with privileged access levels.
• 153482 The issue occurred in the MAPI component when the client side Steelhead was waiting for the encryption key from the server side and a request came on the same connection without any authentication context. The fix ensures the correct handling of this scenario.
• 153504 RBM users may use tcpdump if they are given that role with read-write permission.
• 153653 Fixed an issue where un-canceled timeout events in the optimization service's event-system could result in crash
• 153762 CVE-2013-4348: skb_flow_dissect remote Denial of Service via IHL with IPIP encapsulation.
DETAILS ------- The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allowed remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. FIX --- The kernel has been patched to mitigate CVE-2013-4348
39
• 153763 Fixed an issue when handling multiple outstanding authentication requests on a single MAPI connection. The outstanding requests are now serialized to ensure correct behavior.
• 154090 Fixed memory leak issue introduced due to libxml2 library upgrade in RiOS 8.5.0.
• 154094 Fixed an issue with the dns interface cli command where the warning Unable to find header for reverse mapping block would appear in the system log.
• 154199 Fixed an issue where SMB3 port 8781 would not be listed among list of Monitored Ports.
• 154203 CVE-2013-4545: cURL man in the middle certificate spoofing
DETAILS ------- cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disabled the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) was disabled, which allowed man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. FIX --- Applied patch to cURL for CVE-2013-4545. The fix preserves acknowledging VERIFYHOST when VERIFYPEER is disabled
• 154252 Fixed an issue where the Gratuitous 401 responses to HEAD requests from the client-side Steelhead included the message body resulting in parse failures and thereby dropped connections.
• 154295 Fixed the shutdown code that would prevent the optimization service crash when MAPI pre-population was being closed.
• 154358 Fixed an issue where the following message might appear in the log on systems with a certain type of eUSB device: Let scsi_cmnd (1) abort. usb 2-5: reset high speed USB device using ehci_hcd and address 2
• 154410 The Web UI now sets the X-Frame-Options header, which provides an additional layer of protection against cross-site scripting vulnerabilities.
• 154630 Fixed an issue where an empty inner connection pool would fail to repopulate pool connections to the peer Steelhead if the last connection in the pool was removed due to an error. With this fix, the connection pool will repopulate the next time an optimized connection is created for the peer Steelhead associated with that connection pool.
40
• 154671 The version incompatibility alarm between connection forwarding neighbors, when multi-inpath support was enabled, has been fixed to be shown as Cluster Neighbor Incompatible.
• 154696 Fixed an issue where deleting a QoS rule could corrupt another rule, causing it to pick up the paths specified in the rule below it.
• 154763 Fixed a bug that was caused by certain bulk qos configuration changes which only happened when the changes were pushed from CMC or due to a config DB switch.
• 154811 Fixed a bug found in HFSC upper limit service curve which caused a lot of packets being throttled incorrectly and CPU utilization to be high.
• 155001 Fixed an issue where server side Steelhead running RiOS 8.5.0 or higher dropped CIFS pre-pop connections initiated by the client side Steelhead running RiOS 6.5.6 or lower.
• 155260 Fixed an issue that prevented secure peering when optimizing snap mirror and SRDF traffic.
• 155336 Fixed an issue where the /var partition became full after collecting Application Visibility stats. The system dynamically scales back granularity thresholds when low partition space is detected.
• 155648 CVE-2013-6449: OpenSSL ssl_get_algorithm2 version number remote DoS using TLS 1.2 client
DETAILS: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtained a certain version number from an incorrect data structure, which allowed remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. FIX: This issue has been fixed by patching the OpenSSL library to fix CVE-2013-644
• 155751 A problem was introduced in 8.5.0 where the first request of an Oracle Forms connection was incorrectly interpreted and being blocked. Clients would issue a request and it would appear as if the server weren't responding. Corrections to the parsing code have resolved this problem.
41
• 155783 CVE-2013-4353, CVE-2013-6449, CVE-2013-6450: Openssl cumulative security update
DETAILS:
Openssl cumulative security update for CVE-2013-4353: TLS record tampering, CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context interference
FIX:
Upgraded OpenSSL to 1.0.1f to fix CVE-2013-4353, CVE-2013-6449, CVE-2013-6450.
• 155830 Fixed NT_STATUS_REVISION_MISMATCH during replication to some
Windows 2003 R2 and Windows 2012 R2 servers caused by unsupported Bind response lengths.
• 155913 Fixed a problem where the local interface IP address was not correctly
printed when the Out-of-Band (OOB) connection was disconnected. Log messages for Resetting state for oob splice would sometimes print the IP address of a different local interface than the interface on which the OOB connection was established. The log message now prints the IP address of the local interface associated with the OOB being disconnected.
• 155950 CVE-2013-4353, CVE-2013-6449, CVE-2013-6450: Openssl cumulative
security update.
DETAILS ------- Openssl cumulative security update for CVE-2013-4353: TLS record tampering, CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context interference.
FIX --- OpenSSL was upgraded to mitigate CVE-2013-4353, CVE-2013-6449, CVE-2013-6450.
• 156010 Fixed an issue where unsigned CIFS connections got blocked due to a regression. Unsigned CIFS connections continue to get latency optimized as in pre-8.5.2.
42
• 156286 CIFS prepop sync operations that exceed max sync time or max sync size were cancelled, and the sync operation was marked as failed. This caused the sync operation to retry after 5 minutes, which was not desirable. The fix to this bug treats these errors as non-critical and avoids retries.
• 156358 The optimization service (sport) could crash due to excessive buffering of
packets, resulting from slow response to growing memory pressure on a steelhead. This fixes the issue by detecting memory pressure in advance and throttling traffic.
• 156432 Fixed an issue that resulted in optimization service crash on the client-side
Steelhead at NamesDecoder::handle_event(). Fix involves clearing action pointer when encode or decode operation completes, irrespective of whether it succeeds or not.
• 156487 Path Selection Path Down alarm emails didn't show which path was down.
Path down alarm emails now list out the name of paths that are down.
• 156897 Fixed an issue where SNMP did not listen on Mgmt In-Path interfaces.
• 157120 Fixed an issue that caused server side optimization service crash at Smb2::ChainSplitterQueue::update_lease_create_response(). For a certain sequence of request commands in an SMB2 packet sent to the server, the SMB2 optimization module on the server-side Steelhead failed to do error checking on the response. The fix involves addition of response error checks.
• 157317 Mismatch between milliseconds and seconds in time conversion was causing
period between SCEP certificate renewal checks to be 1000x longer than expected. Certificate was checked ~17 hours after initial startup, then every 1000 days after that. Corrected time conversion so checks occur 1 minute after startup, then every 24 hours after that.
• 157319 Fixed an issue where connections from Steelhead EX RiOS to Granite core
were not optimized and the following error messages occurred in the Steelhead syslog: [intercept.ERR] - {- -} ioctl 0xc0c87a06 (z - 6) failed: Invalid argument.
• 157351 Fixed an issue which caused crash of client-side optimization service when
Smb2 blade was enabled. Crash occurred when the client reused a lease on a connection while the lease preexisted from another closed connection. A notice level log that attempted to access the parser from the closed connection led to this crash. The fix is to get rid of that reference to closed connection in the notice level log.
43
• 157539 The OVA package has been updated to add support for older hosts (older than ESXi 5.0).
• 157540 Fixed an issue that resulted in client-side optimization service crash
originating from Smb2::ClientParser::request_cancel_hook(). The fix involves making sure that the file handle exists when an SMB2 Find operation is cancelled, before attempting cleanup of specific data-structures.
• 157553 Fixed an issue in RiOS kernel that caused a kernel panic when a SYN packet of
a transparent mode inner connection that originated at a Steelhead which was also a connection forwarding neighbor was processed.
• 157716 Before the fix, RIOS would cease latency optimization if an early response
was detected. A synchronization problem between peering Steelheads was introduced in 8.5.0 where a few bytes of internal routing data were appended. The extra data would have been interpreted by the server as a Bad Request. The issue has been resolved.
• 157931 New feature: the SSH server's allowed message authentication code (MAC)
algorithms may be configured using the ssh server allowed-macs CLI command. The show ssh server allowed-macs CLI command shows the current setting. The default setting is to allow hmac-sha1, which has been available in OpenSSH since version 2.1.1 (June 2000), hmac-sha2-256, and hmac-sha2-512. Other MACs that may be enabled are hmac-md5, [email protected], hmac-ripemd160, hmac-sha1-96, and hmac-md5-96.
• 158139 Fixed an issue that caused the pathSelectionPathDown SNMP trap reported
instead of pathSelectionPathDownClear when path down alarm cleared.
• 158279 The Steelhead optimization service could print a warning syslog message like enable_callid_renumber() called more than once, this should not happen!. While the MAPI optimization would continue without issues, we have fixed the underlying condition that triggered this message.
• 158343 Fixed an issue that caused mgmtd in FIPS mode to crash while processing a
user's password change. This issue only occurred if the user's expired password was blank, and when prompted to enter this old password the user entered a non-empty value.
• 158423 Fixed a race condition that existed when the path selection feature was
enabled and the Steelhead received ICMP packets that would cause failure of ……………………the path-monitoring daemon.
44
• 158480 Fixed an issue where some error conditions (e.g., Cannot assign requested address) on the server-side Steelhead might have caused the connection states to get out of sync among the Connection Forwarding peers (with or without Interceptors, but more likely to happen with Interceptors.) When this happened, the SYN-ACK packet from the server might have been leaked to the client rather than being intercepted by the server-side Steelhead, causing the client-side Steelhead Asymmetric Routing alarms to be triggered.
• 158622 Before Outlook opened a MAPI connection to the Exchange server it used the EPM protocol to query for the TCP port of the Exchange MAPI service. The Steelhead optimization service was not using the Exchange MAPI service's IPv4 address of the EPM protocol correctly. With the bug fix applied the optimization service is correctly using the IPv4 address.
• 158818 CVE-2013-1775: sudo authentication bypass via system clock and user timestamp reset.
DETAILS ------- sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allowed local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch
FIX ---
Upgraded sudo RPM as described in https://rhn.redhat.com/errata/RHSA-2013-1701.html to fix CVE-2013-1775.
• 159010 Fixed a race condition in RiOS kernel that may have caused a kernel panic
when disabling the path selection feature.
• 159437 The truncation is fixed and the correct number of connection is displayed.
• 159533 FTP blade was unable to handle EPSV mode responses that used a non-standard delimiter. Most FTP servers used the '|' character to delimit the port number, and RIOS failed if any other character was used. Relaxed parsing code to allow for legal delimiters per RFC 2428.
• 159644 Fixed an issue that would cause fragmented packets other than TCP, UDP, or
ICMP to be blocked when RSP was enabled. This was due to some mishandling in the defragmentation logic for such packets.
45
• 159832 CVE-2012-6638: Linux Kernel tcp_rcv_state_process SYN+FIN remote DoS
DETAILS ------- The tcp_rcv_state_process function Linux kernel allowed remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets
FIX --- SYN+FIN TCP packets were generally illegal and served no legitimate purpose. The RiOS kernel has been patched to drop such packets.
• 160011 CVE-2014-1912: Denial of Service vulnerability in Python sockets due to
boundary check errors in sock_recvfrom_into
DETAILS ------- A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that used the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. This vulnerable function, socket.recvfrom_into(), was introduced in Python 2.5.
FIX --- Applied security patch to Python for CVE-2014-1912.
• 160464 Configuration options 'protocol mapi outlook-anywhr schannel enable' and
'protocol mapi outlook-anywhr multi-context enable' were interacting in a way that forced multi-context to be enabled anytime that schannel was enabled. This issue has now been resolved and multi-context support can be disabled if needed.
• 160543 Fixed a kernel panic issue that would happen when disabling Path Selection
while traffic was running and got Path Selected. This was because the system resources for some inpaths could have been released while other inpaths were still active. When a packet from an active inpath got steered to one that had been disabled, the panic could occur.
46
• 160623 CVE-2014-0092: GnuTLS Certificate Validation Security Bypass Vulnerability
DETAILS ------- GnuTLS failed to properly handle certain errors in x.509 certificate verification which could result in a specially-crafted certificate being accepted as valid even when issued by any non trusted Certificate Authority. This could be used to perform man-in-the-middle attacks against applications using GnuTLS. FIX --- No action needed as GNU TLS is not used in the currently supported RiOS software and was removed starting with RiOS 8.6 and hence not vulnerable to CVE-2014-0092.
• 160813 Fixed this bug by ensuring the Global DSCP setting does not overwrite the
DSCP value set by the matched header base rule.
• 161148 When using web ssl cert generate key-size, unusable key sizes which would have caused HTTPS access to the web server to fail are disallowed.
• 161153 When using web ssl cipher, invalid cipher strings are disallowed.
• 161176 Netflow templates carried field IDs for RiOS specific fields in the range carved
out for Riverbed, 51000 and higher. This behavior was enabled by default when a Netflow v9 or CascadeFlow collector was configured. The behavior can be toggled using the CLI command, '[no] ip flow-export destination <collector_ip> <collector_port> rvbd-field-ids enable'.
• 161478 Fixed an issue where the sched process would sometimes crash when
deleting a job scheduled to execute in the future. This would only occur if sched, or the entire appliance, was restarted after creating the job.
• 161682 Fixed an issue where a failed addon card could cause other addon cards to be
not properly identified and used.
47
• 161816 Fixed an issue that prevented Windows 8.1 or Windows 2012R2 clients from establishing SMB3 connections when connecting through Steelheads.
RiOS releases affected by the issue: 7.0.x 8.0.0 to 8.0.6 8.5.0 to 8.5.2b With this fix, connections from Windows 8.1 to Windows 2012+ servers are latency-bypassed, while SDR optimization on these connections is not affected. Latency optimization of connections from Windows 8.0 to Windows 2012+ servers and SMB 2.x connections is not affected.
• 161842 Modified certain error messages from the image fetch command to prevent
information disclosure in logs.
• 161849 Made the following CLI command available that allows for the in-path interface MTU and LAN and WAN interface MTUs to be decoupled: 'interface mtu-override enable.' This capability is required if RiOS is unable to receive and process packets larger than the in-path interface MTU, including passthrough packets.
• 161984 Fixed this bug by ensuring invalid site index is not accepted as input.
• 161987 CVE-2014-0098: Apache httpd mod_log_config crafted log cookie denial of
service.
DETAILS --- The log_cookie function in mod_log_config module in the Apache HTTP Server allowed remote attackers to cause a denial of service via a crafted cookie that was not properly handled during truncation.
FIX --- Upgraded Apache httpd web server to fix security bug CVE-2014-0098.
• 162094 On the Current Connections UI report, applications are sorted by their
displayed name. Higher-level components of the application name, if any, are available in a tooltip or in the connection details. Only the last component is used for sorting.
48
• 162506 After an upgrade or reboot, netflow records are not sent to the configured collectors and Application Visibility reports are not created, even though enabled. Also, top talker reports may not display any data even though the feature is enabled. This issue can be identified by checking the netflow/interfaces file in the sysdump, which will indicate in this case that flow tracking is not switched on for any of the interfaces. If user has configured collectors on the Steelhead, flow export can be disabled and enabled. For application Visibility to work, the same can disabled and enabled. For top talkers to work, the same can be disabled and enabled.
• 162741 The Steelhead no longer logs this warning for valid empty response PDUs. If
this empty response is received during cached mode acceleration and skip-copy is not enabled, the following INFO message is logged instead: Accelerator was optimizing when empty response was received. You may want to enable 'protocol mapi skip-copy enable' on client-side and server-side Steelhead.
• 163509 Fixed a problem where the citrix optimization blade was causing high CPU
usage. The high CPU usage was due to logic in the Citrix blade where it was processing a long chain of data causing it to take a long time to complete. Due to this high CPU usage, the watchdog timer would mark the thread as unhealthy and cause SIGABRT signal to be sent to the optimization service resulting in its termination.
• 163622 CVE-2014-2653: OpenSSH remote servers skipping SSHFP DNS RR checking.
DETAILS ------- The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allowed remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
FIX --- Applied patch for CVE-2014-2653 to OpenSSH
49
• 163743 CVE-2014-0160: OpenSSL heartbeat extension sensitive information disclosure. (a.k.a. Heartbleed bug).
DETAILS ------- The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g did not properly handle Heartbeat Extension packets, which allowed remote attackers to obtain sensitive information from process memory via crafted packets that triggered a buffer over-read. See http://heartbleed.com/ for more details.
FIX --- Upgraded OpenSSL to 1.0.1g to fix CVE-2014-0160 (Heartbleed Bug).
• 163928 Path Selection may not be applied to WAN bound traffic if the next hop or
default gateway for a Steelhead's in-path interface is on LAN side. Default gateway or next hop must be on the WAN side of the Steelhead. The next hop may be set by adding a static route in the in-path interface's routing table.
6) KNOWN ISSUES • 150102 Memory leaks may occur if non-SSL traffic flows over SSL ports. The memory
leaks have been fixed.
• 158916 When using SCEP for peering certificates, automatic renewal fails with error Transaction not permitted or supported by the SCEP responder (eg, wrong passphrase, rejected by CA operator, etc).
• 161036 When connecting to the Cloud Portal through a proxy server, the ESH version of curl adds a Content-Length header to the CONNECT request. Some proxy services will fail the CONNECT request with a 400 status. ESH requests to the Cloud Portal will fail. Configure the proxy server to allow requests with 'Content-Length' header.
• 162338 SNMP traps are triggered only when email notification is enabled. Keep email notification enabled to continue triggering SNMP traps.
• 162479 On the Current Connections report, some connections have multi-level application types such as HTTP > WebDAV > SharePoint. Only the last component is used for table display and sorting. It is not possible to sort by the first component of the chain. Filtering on the higher-level application component, then sorting, can be used to find children of an application.
• 162670 The Steelhead QoS functionality cannot classify Microsoft Lync 2013 traffic.
• 164125 On the User Permissions screen of the UI, the Citrix Acceleration role is misspelled and appears at the bottom of the list under the Uncategorized heading. Use the Citrx Acceleration role to assign permissions for Citrix.
50
• 164780 For customers who use Path Selection, Quality of Service, Netflow DPI, or Application Visibility, SMB2 connections may be reported as CIFS on the Current Connections report.
• 173590 Downgrading the Steelhead to RiOS 8.6.x from a pre-8.6 release that is dated later than the 8.6.x release will cause a loss of license and optimization will fail to start. This scenario can be encountered when 8.6.x is in the Steelhead's image history, the Steelhead is running a pre-8.6 release that has a build date that is later than the 8.6.x release being installed, and that 8.6.x release is installed/downgraded to.
Example: 8.5.2 build date Dec. 20 2013 8.5.3 build date May 19, 2014 8.6.0 build date April 15, 2014 The following path would hit this bug: 8.5.2 > 8.6.0 > 8.5.2 > 8.5.3 > 8.6.0 (8.5.3 > 8.6.0 is a downgrade due to 8.6.0 being in the image history, and 8.5.3 build date is later than 8.6.0). Avoid this scenario by ensuring that an upgrade, instead of a downgrade, to 8.6.x takes place. One must downgrade to a pre-8.6.x release that is in the image history and dated prior to the target release, and then the upgrade to 8.6.x. From the previous example, the following path is successful: 8.5.2 > 8.6.0 > 8.5.2 > 8.5.3 > 8.5.2 > 8.6.0 In the loss-of-license condition, re-install the licenses, revert to the pre-8.6.x partition, or re-install a pre-8.6.x image that is in the image history, to recover the licenses and optimization.
• 193992 When Path Selection is enabled and the SteelHead is peered with an Interceptor, traffic is relayed if there are no Path Selection channels configured. The current connections reports may show Path Selection is occurring for the relayed traffic. No workaround.
• 216828 For optimized flows in which traffic from the server is marked with DSCP 0, the zero value is not copied onto the optimized channel if QoS marking is disabled. Instead, the DSCP mark from the client is reflected in the server-to-client direction. Setting an explicit marking on the server or enabling QoS marking on the server-side SteelHead will prevent this issue.
• 221376 When an IPMI alarm is raised, the web user interface may show the description twice; e.g., "Power Unit #0xf2:AC lost Power Unit #0xf2:AC lost". No workarounds exist.
51
• 200364 Link failure has been observed on certain NICs with Intel Chipset i350 (Riverbed part number 410-00115-01) when autoneg is turned off or hard set to full or half when speed is set to 100 mbps or 10 mbps. Setting speed and autoneg to auto/auto on one side with other side hard set will bring linkup successfully. Another workaround is to hard set speed and leave the auto-neg to Auto instead of hard setting to full or half.
7) UPGRADING THE RIOS SOFTWARE VERSION Please review the Steelhead Appliance Installation and Configuration Guide for information on upgrading the RiOS software version on Steelhead appliances. For Virtual Steelheads, please see the Virtual Steelhead Appliance Installation Guide. If running Cloud Steelheads, please see the Riverbed Cloud Services User's Guide.
8) CMC COMPATIBILITY Please review the Steelhead Appliance Installation and Configuration Guide for information on CMC compatibility.
9) HARDWARE AND SOFTWARE DEPENDENCIES Please review the Steelhead Appliance Installation and Configuration Guide for information on hardware and software dependencies. For Virtual Steelheads, please see the Virtual Steelhead Appliance Installation Guide. If running Cloud Steelheads, please see the Riverbed Cloud Services User's Guide.
52
10) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation, browse our library of Knowledge Base articles and manage your account. To open a support case, choose one of the options below.
Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial +1 415 247 7381.
Online You can also submit a support case online
Email Send email to [email protected]. A member of the support team will reply as quickly as possible.
©2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.
53