Description

RIVERBED PRODUCT RELEASE NOTESPRODUCT: STEELHEAD APPLIANCE RELEASE DATE: DECEMBER 24, 2014 RIOS VERSION: 8.6.2 CONTENTS 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) Supported Steelhead Models New Features in RiOS 8.6.2 New Features in RiOS 8.6.1 New Features in RiOS 8.6.0 Fixed Problems Known Issues Upgrading the RiOS Software version CMC compatibility Hardware and Software dependencies Contacting Riverbed Support 1) SUPPORTED STEELHEAD MODELS RiOS 8.6.2 supports CXx55, CXxx55, x50, xx50, CX570 and CX770 models. Important: RiOS 8.6.2 does not support Riverbed xx20 models. 2) NEW FEATURES IN RIOS 8.6.2 This section provides an overview of the new features available in RiOS v8.6.2. Full-Transparency with Enhanced Auto-Discovery Enhancement Improved the enhanced auto-discovery protocol, when used with full-transparency. After the connection between Steelheads has been established and data packets addressed to the server side Steelhead are generated, the client side Steelhead will check that the fulltransparency in-path rule is present. Improved SDR-Adaptive Functionality Improved SDR-Adaptive functionality to monitor CPU usage in addition to disk load. 3) NEW FEATURES IN RIOS 8.6.1 This section provides an overview of the new features available in RiOS v8.6.1. New Appliance Models RiOS v8.6.1 supports the Series CX570 and CX770 appliances. Baseboard Management Controller (BMC) The Steelhead CX570 and CX770 models include Baseboard Management Controller (BMC) support. The BMC monitors the physical state of the appliance and tracks system and network watchdogs, error logs, and sensors. The sensors of a BMC measure internal physical variables such as temperature, power settings, and fan speeds trigger alerts for activity detected outside specified limits. For more information, see the Upgrade and Maintenance Guide. Enhanced Product Diagnostics and Usage Reporting A single encrypted HTTPS connection will be opened from each managed device periodically delivering anonymized information to secure servers located at usage.comms.riverbed.com:443. In addition, a periodic DNS request will be directed to a dynamically-generated host ending in updates.riverbed.com. To disable reporting of product health and usage information, issue the commands no debug uptimereport enable and no debug health-report enable. Riverbed cares about privacy and data security. For more information, see http://www.riverbed.com/legal/privacy-policy UI Current Connection Report Enhancement Added the ability to filter based on connections for a specific Path Selection path name by entering the name into a "matching regular expression" filter. CLI command reports GRE paths egress statistics The show in-path gre-egress-tbl command reports GRE sources along with the number of packets and bytes received from those senders. 2 4) NEW FEATURES IN RIOS 8.6.0 This section provides an overview of the new features available in RiOS v8.6.0. For details, see the Steelhead Appliance Management Console User’s Guide, the Steelhead Appliance Deployment Guide - Protocols, the Steelhead Appliance Deployment Guide, and the Riverbed Command-Line Interface Reference Manual. Path Selection Enhancements Includes support for these features: Multiple and single firewalled paths using GRE tunneled paths. You can now create direct tunneled paths to steer traffic over any path that traverses a stateful firewall between the serverside Steelhead appliance and the client-side Steelhead appliance. Firewalled deployments using the Application Flow Engine (AFE) to identify and steer traffic flows. Symmetric and asymmetric traffic flows. New SharePoint Optimization Diagnostic Reporting Provides cache hit rates and and totals for these SharePoint extensions: Web Distributed Authoring and Versioning (WebDAV) – HTTP/1.1 extension. The local Steelhead appliance proxies transactions, fetching information ahead of time to serve data locally. For example, for directory browsing, the Steelhead appliances fetch structures of subdirectories, caching them for faster response to the client. FrontPage Server Extensions (FPSE), which enables the client application to display the contents of a Web site as a file system. SSL Common Name Support for the AFE Improves SSL application classification efficiency by allowing wildcards in SSL common name identification. New Current Connection Details Provides more information on QoS classes, applications, and outbound QoS marking for individual connections. Over 350 Additional Applications in the AFE Includes significant additions to the number of popular applications recognized by the AFE. The AFE enhancements further classify the various Microsoft Lync workloads. Lync a multi3 featured communications suite that goes across many protocols. The AFE covers the majority of the traffic generated between Lync clients and servers. The AFE greatly eases the process of identifying applications in Steelhead appliances. For a complete list of recognized applications, see the Steelhead Appliance Management Console User’s Guide. Authentication Scaling and Load Balancing for Secure Protocol Optimization Improves the number of applications per second and availability of domain authentication operations. The improvements meet the requirements of high-load environments for encrypted MAPI and signed-SMB traffic to load balance across multiple domain controllers. They also improve handling in environments where the domain controllers are not local to the server-side Steelhead appliance; for example, the domain controllers in Microsoft Office 365 data centers. For details, see the Riverbed Command-Line Interface Reference Manual. MAPI and eMAPI Over IPv6 Optimization Provides latency optimization for MAPI and eMAPI over IPv6. Authentication is over IPv4 only. Communication to the domain controller is over IPv4 only. HTTP Optimization Improvements Removes the 1 MB bypass limit for Steelhead appliances running RiOS v8.6. The limit is still in effect for a Steelhead appliance peered with a Steelhead appliance running RiOS v8.5.x and earlier. The HTTP cache limit is still 1 MB. • RiOS now allows caching of HTTP Vary headers when encoding is set to None. Combine with strip compression to improve the cache hits. Added diagnostics for stream splitting. Improved RiOS Data Store Encryption Performance Includes several methods to alleviate lock contention, improving encrypted data store throughput and latency. New System Administrator Role Includes permission for all other RBM roles and permission to perform appliance administration, minimizing the need to assign an administrator role that grants full readwrite access to all areas of the appliance. For details, see the Riverbed Command-Line Interface Reference Manual. 4 SSL Transport Layer Security (TLS) Support Enhances security on the inner and outer SSL channels between the client-side and serverside Steelhead appliances. Support includes the TLS version 1.1 and 1.2 encryption protocol. For details, see the Riverbed Command-Line Interface Reference Manual. 5) FIXED PROBLEMS Problems fixed in version 8.6.2 • 123997 Fixed an issue where disk alarm is triggered after a raid element fails. • 138588 Removed generating linklocal IPv6 address for interfaces with MTU value lower than 1280. This is to avoid the kernel error message "No buffer space available", since IPv6 requires MTU on an interface to be at least 1280. • 144119 RiOS software switches transparently from hardware to software compression when an error is detected on the SDR accelerator card. This enhancement ensures that the optimization service resumes compression with the SDR accelerator card after a fixed timeout period (6 minutes), thus helping recover full functionality in the case of transient errors like memory pressure. If the error is determined to not be transient (10 or more failures in a 2-hour period), the service switches entirely to software compression. • 150658 Fixed an issue where the optimization service could crash if an optimized Outlook Anywhere connection is closed while is it processing HTTP request or response headers. • 151040 Fixed a race condition during delegation configuration to avoid process restart • 153082 Fixed an issue that caused crash of optimization service at Smb2::ClientParser::process_TreeDisconnectResponse(). The crash was due to an attempt to update metadata in an unoptimized node during Tree Disconnect operation. The crash is likely to occur in Smb2::ClientParser::process_SessionLogoffResponse() as well due to similar attempts made during Sessons Logoff operation. The fix adds checks to avoid updating metadata in unoptimized nodes. 5 allowing Outlook to gracefully recover. The failure resulted from the increase in memory usage of the system during a software upgrade.x. The absence of this secondary communication resulted in the appliance not showing up against the license on the Cloud Portal. The corruption was caused because of lingering closed connections in the connection table.y. • 165671 Fixed an issue where the 'image fetch' command would fail if the disk drive containing the /var directory was replaced.x. After the fix the Lotus Notes Encryption Optimization blade checks to see if the connection is being terminated before it processes messages from the SSL Secure Peering blade. This connection will be passed through.• 158834 Fixed an issue with Notes Encryption Optimization where the server-side Steelhead fails to forward traffic to the unencrypted server port. • 164421 Corrected code logic specific to http HEAD request that was improperly blocking data. • 163276 Fixed the handling of empty kerberos request packets on HTTP connection. • 164812 The optimization service will now close the MAPI connection if an error condition is encountered during optimization. This occurred in the following conditions: 1) Enhanced Auto-Discover (EAD) disabled 2) Fixed target rules between Steelhead appliances 3) Probe-caching enabled This can result in the encrypted Notes connections not being optimized. 6 .y. • 162553 Fixed the communication between the ESX Cloud SteelHeads and the Cloud Portal. The fix gracefully removes closed connections from connection table thus avoiding corruption. • 165611 Fixed the memory allocation failure that caused InPath interfaces to stay offline after a software upgrade. In this case you will see a log message like the following: [notesencr2sfe. • 159262 Hardware watchdog timed out during lookup of a connection in a corrupted connection table.x:x y. • 163476 Fixed a leak of file descriptors in the winbindd process that can result in protocol errors for new Signed SMB or encrypted MAPI connections • 164034 Fixed an issue where optimized bandwidth limits were not enforced on MxTCP connections.NOTICE] 1 {x. • 166355 Fixed a kernel crash that may occur because of incoming out-of-order fragmented TCP packets when the QoS and/or Path Selection feature is enabled. • 162336 Fixed a rare timing-related issue where the optimization would shut down if the SSL Secure Peering handshake completes at the same time as an optimized encrypted Lotus Notes connection is being torn down. Note from the log that port 1352 was used even though Steelhead was configured to send traffic to unencrypted port 1353.y:1352} Server is requesting encryption on port 1352 and therefore cannot be optimized. included the GRE header of each packet that egress GRE tunnels. 7 .6.• 166967 The service crash following a service restart after a SDR Card failure has been fixed. This feature was disabled by default before RiOS 8. causing the client to eventually close the connection. • 187833 Fixed a memory leak in RiOS kernel that may occur in the client-side SteelHead in rare conditions where a client is opening a very large number of shortlived connections and the optimized connection setup between SteelHeads fails. the inner channel for Citrix packets were incorrectly marked with the 0x3F DSCP value. • 187862 The Qosd memory leak was fixed and no leaks have been seen with this release. The feature should not be disabled under normal circumstances. but the connection has previously encountered an optimization error. • 191775 Fixed an issue where the byte count reported by the CLI command. With this change such a blacklist entry is only made on the 2nd invalid login request on a MAPI connection. "show inpath gre-egress tbl". This can occur if the "admin" account is not authorized by the TACACS+ server to execute the "exit" command in the CLI. Certain find requests on folder content were not forwarded to the server. • 194051 Fixed an optimization service crash that can occur when an optimized MAPI connection opens a second MAPI protocol context. and if it cannot exit from the CLI. Outlook can send an invalid login request and this resulted in a MAPI blacklist entry on the server-side Steelhead. • 192346 Fixed an issue that caused an error to be reported when non correct mode IPv6 addresses are entered in the delegation lists (delegate-all. delegate-all-except) • 193744 GeoDNS for SH SaaS is used to locate the closest SteelHead against the destination Exchange-online (Office 365) server. • 191370 Fixed an issue where invalid login requests can result in MAPI blacklist entries. • 173665 Increased the memory admission control values so that they are adequate to support the maximum prescribed load for SteelHead models 770L and 770M. The feature has now been enabled by default. • 167210 Fixed memory leak in DC discovery locator process. the collection cannot complete. During sysdump collection the CLI is launched multiple times internally.2. • 191792 Fixed the issue where when AppVis is enabled and DSCP-marking is not enabled. • 166977 Fixed an issue that caused sysdump collection to get stuck when TACACS+ per-command authorization is configured. This will allow a recovery and successful login by Outlook on the second attempt. • 191761 Fixed an issue that results in failure of directory synchronization using ViceVersa software when CIFS optimization is enabled. • 200048 When SDR adaptive is enabled (either Legacy or Advanced). assert_failure(char const*. in ActionInternal::is_cancelled() const () #5 0x0.. Fix --Upgraded Apache on RiOS 8.2.27 with patches) for CVE-2014-0117. char const*.-} ASSERTION FAILED (lock_->held_by_me()) at /builddir/build/BUILD/sport-0. void*) () #6 0x0.cc:50... in assert_failure(char const*. At the point of crash the following log message was seen on the server side SteelHead: [assert. to fix multiple Denial of Service issues. CVE-2014-0231 Details ------CVE-2014-0117: mod_proxy: DoS attack against a reverse proxy via a crafted HTTP Connection header.{. int) () #4 0x0.2 to 2.1/rbt/iocore/action..4 to 2..28 (or 2. The stack trace pointed to an assertion failure in the event system code: #2 0x0.CRIT] .10 and 2.• 195020 Upgrade Apache httpd 2.. EventType. use sustained CPU pressure as an alternate trigger to send resource pressure messages to a peer steelhead.. CVE-2014-0226: mod_status: Heap overflow denial of service attack.. in EventThread::process_pollfds(int) () #7 0x0. CVE-2014-0231: mod_cgid: DoS against CGI script due to lack to timeout. void*.0 and higher. 8 .. CVE-2014-0118: mod_deflate: DoS via highly compressed crafted request message body. char const*. in NetIOChannel::handle_event(EventSource... in EventThread::run() () The crash happened because our optimization service was performing read/write operations on an aborted TCP connection between the server side SteelHead and the Lotus Notes server. Recommendation Upgrade to patched version if applicable • 197894 Fixed an issue to show IP's specified in'protocol domain-auth delegation rule dlg-only' command show up in the 'show running config' command output. • 200449 Fixed a problem that caused an assertion failure when optimizing encrypted Lotus Notes connections. CVE-2014-0226.4.2. char const*. CVE-2014-0118. Note that RiOS is not impacted by CVE-2014-0226 as it does not include the affected mod_status module. int) () #3 0x0.. N/A. Bindings (1 of 1):{/hw/hal/ipmi/query/allevents. and CLI and WebUI access becomes slow or unresponsive. Existing SEL entries are now cached in RiOS and only new entries need be retrieved through IPMI. Auto-discovery could have failed (leading to passthrough connections) due to auto-discovery packets not reaching the client side SteelHead. which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface. • 204870 Enhanced the error message logged when optimization service cannot be enabled if none of the in-path interfaces have an IPv4 address configured. Fix --Patched the Linux kernel to fix CVE-2014-3535 Recommendation Upgrade to patched version if applicable.• 200896 CVE-2014-3535: Linux kernel Vxlan NULL pointer deference flaw Details ------CVE-2014-3535: The Linux kernel before 2. • 205495 Fixed an issue where messages like the following may show up in the logs. causing the TTL to reach zero faster than the actual number of hops the packet traverses. [mgmtd.36 incorrectly uses macros for netdev_printk and its related logging implementation.N/A} This was usually caused by large numbers of SEL entries where requesting them can be slow. The TTL on auto-discovery packets were being reused from the previous packet on the flow.6. • 204080 Fixed a problem with Discovery Agent and agent-intercept mode optimization on long network paths with many hops. 9 .NOTICE]: Waited [x] secs for [query request]. 0o to patch openssl security vulnerabilities (libs used by sport) Details ------The OpenSSL security advisory https://www.1j/1. 10 .• 205665 Upgrade to openssl 1.org/news/secadv_20141015.0 even if both sides of the connection support higher protocols.openssl. SSL 3.0. Fix --OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20141015. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Recommendation Upgrade to patched version if applicable.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3566: Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers.0. 9. This update also includes a fix for CVE-2014-3513. as used in OpenSSL through 1. CVE-2014-3567 (Session ticket memory leak): A flaw in the session ticket integrity check mechanism allows an attacker to cause a denial of service attack by sending a large number of invalid session tickets. CVE-2014-3567 and CVE2014-3568. Recommendation Upgrade to patched version if applicable 11 . • 205927 CVE-2014-3660: libxml2: denial of service via recursive entity expansion Details ------Libxml2 before 2. CVE-2014-3566. the option was effectively ignored. This memory leak issue has been resolved in this bug. which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references.1i and other products.• 205667 Upgrade OpenSSL to 1. which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. and SSL 3. Fix --Upgraded libxml2 package to address CVE-2014-3660.2 does not properly prevent entity expansion even when entity substitution has been disabled. though RiOS is not impacted by it.0. Recommendation Upgrade to patched version if applicable • 205746 Fixed an issue where a memory leak could occur in the mgmtd process when loading a Steelhead current connection report with more than 500 optimized connections.1j for security advisory "secadv_20141015": CVE2014-3513.0.0. CVE-2014-3568195020 Details ------This update addresses the following issues: CVE-2014-3566 (POODLE attack): The SSL protocol 3. a variant of the "billion laughs" attack. Fix --OpenSSL has been updated to address CVE-2014-3566.0 was still allowed. uses nondeterministic CBC padding. CVE-2014-3568 (Incomplete no-ssl3 build option): When OpenSSL is configured with "no-ssl3" as a build option. CVE-2014-3567. and 0.9.Problems fixed in version 8. when processed by an application linked against libxml2.9.8zb.0 before 1. and unspecified other functions. which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline.openssl. and 1.0.1 before 1.0. FIX --Upgraded libxml2 to fix security vulnerabilities CVE-2014-0191 and CVE-2013-2877.0.1i. A remote attacker could provide a specially crafted XML file that. when multithreading and session resumption are used. CVE-2013-2877: An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. CVE-2013-2877: Libxml2 security update RHSA-2014:0513-1 DETAILS ------CVE-2014-0191: It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled.0. does not ensure the presence of '\0' characters.0n.0.6.c in OpenSSL 1.9.8 before 0.0. could cause the application to crash. allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. 1.1i. CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.1 before 1. RECOMMENDATION Upgrade to patched version if applicable. possibly resulting in a denial of service or an information leak on the system.c in OpenSSL 0. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks.1i. 12 .txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.0.1b • 154841 Fixed an issue where non-ascii usernames can result in the Domain Communication alarm being raised for Signed-SMB or Encrypted MAPI connections.0 before 1. • 196534 Upgrade OpenSSL to 1.org/news/secadv_20140806. • 193347 CVE-2014-0191.0. when pretty printing is used.0n. 1.0.0n and 1. X509_name_print_ex.8zb for security advisory "secadv_20140806" (CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 and others) DETAILS ------The OpenSSL security advisory https://www.0. txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat. RECOMMENDATION Upgrade to patched version if applicable.1 before 1. FIX --OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20140806.0 before 1.1i allows man-in-the-middle attackers to force the use of TLS 1.1i.0.CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.0.0.8zb for security advisory "secadv_20140806" .c in OpenSSL 1.1i. 13 . • 196537 Upgrade OpenSSL to 1.9. when multithreading and session resumption are used. and unspecified other functions. related to a "protocol downgrade" issue.9. 1.0.0. and 1. CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr. FIX --OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20140806. CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib. does not ensure the presence of '\0' characters.0 before 1. RECOMMENDATION Upgrade to patched version if applicable.8 before 0. related to a "protocol downgrade" issue. allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.0.1 before 1.8zb. 1.org/news/secadv_20140806. and 0.0.c in OpenSSL 0.c in OpenSSL 1.0.1i.0.1 before 1.0n.1i allows man-in-the-middle attackers to force the use of TLS 1.1 before 1.0.0n and 1.0n.openssl.Sport Side DETAILS ------The OpenSSL security advisory https://www.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions.0.9. X509_name_print_ex.c in OpenSSL 1. when pretty printing is used. which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline.0.0.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions.0. CVE-2014-4342. CVE-2014-4342: MIT Kerberos 5 (aka krb5) 1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.x before 1. (2) LANG.12.x through 1. or other locale environment variable.• 197047 Krb5 1. CVE-2014-0475: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2. 14 . (dot dot) in a (1) LC_*.12. CVE-2014-4344.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference. CVE-2014-4344: MIT Kerberos 5 (aka krb5) 1.7.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .12. • 200367 glibc security update for CVE-2014-5119 and CVE-2014-0475 DETAILS ------CVE-2014-5119: Off-by-one error in the GNU C Library (aka glibc) allows contextdependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.x before 1.12. CVE-2014-4342.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. and application crash) by injecting invalid tokens into a GSSAPI application session. FIX --Krb5 has been patched for CVE-2014-4341. and CVE-20144344 DETAILS ------This security update addresses the following issues: CVE-2014-4341: MIT Kerberos 5 (aka krb5) before 1.5. RECOMMENDATION Upgrade to patched version if applicable.12.x through 1..9 security update for CVE-2014-4341. Problems fixed in version 8.FIX --Glibc packages updated to fix CVE-2014-5119 and CVE-2014-0475 RECOMMENDATION Upgrade to patched version if applicable. and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. Certain services and applications allow remote unauthenticated attackers to provide environment variables.6. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. CVE-2014-7169: Bash Code Injection Vulnerability via Specially Crafted Environment Variables DETAILS ------CVE-2014-6271: A flaw was found in the way Bash evaluated certain specially crafted environment variables. CVE-2014-7169) As a part of this update. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. CVE-2014-7169: It was found that the fix for CVE-2014-6271 was incomplete.1a • 202898 CVE-2014-6271. the following related issues were also fixed: CVE-2014-6277 CVE-2014-6278 CVE-2014-7186 CVE-2014-7187 Recommendation Upgrade to the appropriate patched versions of software as listed in the above KB article. 15 . Please refer to this knowledge base article for detailed information on the impact of this vulnerability on Riverbed products and services: https://supportkb.com/support/index?page=content&id=S24997 FIX --The Bash component was updated in Riverbed products and services to fix the "ShellShock" vulnerability (CVE-2014-6271.riverbed. allowing them to exploit this issue. allowing them to exploit this issue. Certain services and applications allow remote unauthenticated attackers to provide environment variables. 1 • 77755 This bug fix helps the optimization service gracefully recover when a corruption is detected in the index by repairing the data structures that form part of the index.Problems fixed in version 8. whichever came first.6. • 94089 The Common Name field on a Certificate Signing Request should include the local hostname for full browser compatibility. • 151996 For Path Selection. This fix makes sure the output buffer is big enough to handle such scenarios. The Web user interface now shows a warning when the hostname is not included in the Common Name. • 148619 Fixed a severe SSL CPS performance degradation issue when the FIPS mode was enabled on the SteelHead. a SteelHead under moderate load might enter into a busy wait loop. In some rare cases. Inbound QoS has been modified to limit processing too many packets in a single pass. • 147174 Enhanced NetFlow flow records to indicate to CascadeFlow collectors that the SteelHead interface data exported may have been incorrect in virtual in-path deployment or when Path Selection was enabled. unhealthy threads follow" • 146046 With inbound QoS enabled. the period of time available for the rcud process to recover from an unhealthy state was short. 16 . This period has now been increased to allow the rcud process to recover when the appliance enters high CPU or disk load state. the outputs for the show connection and show flow commands now mark paths used for the inner connection pool with –an asterisk (*) to help differentiate those paths from the paths that were used for the queried connection. • 154088 This bug fixes a crash in RiOS resulting from compression failure of a specific data pattern. The performance degradation was due to heavy use of certain FIPS locks used by OpenSSL. this culminated with a reboot triggered by the hardware watchdog. connection drops. This recovery occurs transparently without triggering a service crash. This modification prevents the watchdog from timing out and causing a reboot. Timeout would occur after the inactivity delay set in Web Settings or five minutes after the main window or tab was closed. The failure was caused due to incorrect sizing of the output buffer. During high CPU and disk load spikes. • 129100 Fixed an optimization device failure that would occur along with messages similar to "watcher: One or more threads not responding after at least [x]s. or loss of data integrity. The fix avoids read operations on FIPS locks to improve performance safely. • 147363 Fixed an issue that resulted in a crash of the rcud process during high CPU and disk load on the SteelHead. • 149216 Fixed an issue where opening a continuous log window could prevent a user's Web session from timing out. • 162513 Fixed an issue where in certain rare cases. This limit has been removed as it has been found to inhibit beneficial optimizations on subsequent transactions. by design. • 159811 Fixed an issue where the domain-health test widgets were not honoring encrypted LDAP settings on domain controllers resulting in test widget failures. • 158787 Fixed an issue where a CX570 or CX770 Steelhead would display errors in the syslog. • 156182 Fixed a potential but unlikely issue where the system shutdown could take more than 20 minutes. which do not impact operation and can be ignored: Feb 10 00:00:39 sv-sh99 hald[7665]: [hald. • 159419 Enabled multiple hardware queues for 10 G interfaces in order to improve the performance for QoS marking and Path Selection.INFO]: hald_handle_query_request(). as they do not use RAID. with the intent that large transfers would not benefit from latency optimization. build (null): No handler for bnode /hw/hal/raid/disk/0/disk_wear Feb 14 11:32:05 sv-sh99 hald[7707]: [hald. • 155336 Fixed an issue where the disk space for logs became full after collecting Application Visibility statistics. Old model detected these warnings have been removed from the CX 570 and CX 770 models.c:631. • 159136 Fixed a statistics accounting issue where bytes sent or received were erroneously accounted multiple times towards a single port. The "Needs Attention" status now clears appropriately. hald_main. 17 . The system now dynamically scales back Application Visibility granularity thresholds when low disk space is detected. This fix works only when QoS shaping is disabled. The fix gracefully handles this condition by initializing the TCP connection state to the correct value to prevent service disruption. • 160271 Fixed an issue where our LDAP library was not being complied with SASL support needed for encrypted ldap support for the auto-delegation and password replication policy features.• 154381 Fixed an issue where a closing TCP connection that was simultaneously opened by the SteelHead and any other device in the network would result in a RiOS kernel crash. • 155940 HTTP latency optimization was bypassed on large chunk encoded transfers. • 162474 Fixed an optimization service crash when an optimized Outlook Anywhere connection was closed immediately after opening.NOTICE]: RAID MOD: No need to initialize. such as the following. the SteelHead could report a "Needs Attention" status even though the condition that caused it had cleared. • 162543 Fixed an issue where the alarm indicating IPv6 incompatibility between connection forwarding neighbors did not clear after the neighbors disconnected. • 162723 Fixed a memory leak in the statistics gathering subsystem that can result in “paging activity too high” alarms after several months. • 163324 Added a new alarm in RiOS that is triggered if Path Selection probe responses arrive at a WAN interface that is different from the WAN interface on which the probe requests were sent.6. • 164384 Fixed an issue where Path Selection information for a connection was not visible in the UI "Current Connections" report. • 164188 Fixed the httpd settings to prevent the "No slotmem from mod_heartmonitor" message that was intermittently seen in the httpd logs. The key size is no longer allowed to be 512. This problem did not cause any functional issues. however. • 164014 Enhanced error notification to explain that configuring Path Selection channels on a SteelHead that is not peered with an Interceptor is not supported. "Operation is not supported in the given platform" is now printed on the console if the user enters this command. and 8783 to SMB3. which introduced these key lengths in version 8.6. With the fix. 18 . • 164503 Corrected a problem where the order of the incoming data was corrupted after the client TCP connection was reset. • 164133 Access to SOAP API's was not available in 8. 8782. • 164561 The Web user interface now supports key lengths of 3072 and 4096 for generating CA certificates. no corrupt data was ever sent to the client or server. CX770. • 164191 Enhanced Path Selection probing logic to drop probe requests that ricochet through the SteelHead. The descriptions were corrected for ports 8781. This problem was leading to an internal crash. This change helps in detecting paths as being down in cases where a downstream router may reroute probe requests and such packets ricochet through the SteelHead. This change provides parity with the command-line interface. respectively. • 163925 Three SMB3 port descriptions were corrected on the Monitored Ports configuration page of the Web UI. SOAP API's should now be accessible.• 163298 The memory limit of the QoS process qosd was removed so that it no longer crashes when its memory usage hits 500MB.0. • 164382 The CX570. • 164805 Fixed an issue in the RiOS kernel that could result in a kernel panic while adding a VLAN tag to an unoptimized packet during path selection. • 163505 Fixed a problem that resulted in the log message "[cli. and SMC platforms do not support the CLI command no remote password. and SMB3 Encrypted.0. SMB3 Signed.ERR]: user monitor: No response from HAL for uses_hardware_wdt" occurring when a nonadministrative user logged in. The fix involved introducing NULL pointer checks.1 DirectoryString to use UTF8String.1h updated the default mask for encoding the ASN.• 164837 Fixed an issue that resulted in Windows clients failing to connect to a share on Windows 2012R1 Server with update KB2934016 installed.1h updated the default mask for encoding the ASN. OpenSSL 1. • 192177 Fixed an issue where renewing the SSL peering trust between SteelHeads failed due to certain SCEP servers that rejected the CSRs generated by SteelHeads. • 165343 Fixed a crash of the SteelHead optimization service when the Server Certificate Chain Discovery feature was enabled on the server-side SteelHead. and this has been been reverted to PrintableString. Please note that this resizing operation will clean the data store. Upgrading to an image containing the fix will result in a size change. • 191836 Fixed an issue where the SSL peering trust between SteelHeads would not establish due to certain SCEP servers rejecting the CSRs generated by SteelHeads. This size is calculated based on the server's maximum transaction size.0. This issue affected both optimized and passthrough traffic. The fix corrects the size of the metadata prefetch request issued by the client-side SteelHead. The process crashed due to a NULL pointer dereference.0. • 165828 Fixed an issue where VLAN tags were stripped when the packets went through an ESX-based Virtual SteelHead. Increasing the maximum transaction size to 8 MB by Windows update KB2934016 exposed a bug in the computation of the prefetch request size. 19 . OpenSSL 1. • 165212 Fixed an issue related to a collectord crash under high disk load. and this has been reverted to PrintableString. • 165262 Enhanced the logic that maintains the state for optimized connections in the RiOS kernel to prevent referencing stale data that may have resulted in a kernel panic.1 DirectoryString to use UTF8String. • 166647 Decreased the number of syslog messages printed by MAPI optimization so only one of those messages is logged for each optimized MAPI connection. • 165077 Modified the data store configuration file for the CX770L and CX770M models to change the data store size from 100 GB to 150 GB. The crash was due to memory exhaustion during high load.0..6. Workaround: Set both the SteelHead interface and switch to use auto negotiation before upgrading to 8. This problem did not impact normal system operation. • 165027 IIS is sometimes responding with 401 authentication responses while an HTTP POST request is still sending data. • 165657 Fixed a problem where automatic emails were sent from 32-bit appliances indicating /usr/lib64/sa/sa1 and /usr/lib64/sa/sa2 were missing. The stack contained these function calls: #0 0x... [/citrix/cfe/DriverStack INFO] {<client_ip>:<client_port> <server_ip>:1494|2598} Parsed driver at index QQ Problems fixed in version 8.0. The fix will only apply a configuration that is supported by the interface. in UiDriver::UiDriver(AbstractDriver::DriverHeader const&. BufReader*. in IcaContext::basic_decrypt(Citrix::ByteBuffer*. if the interface speed and duplex was configured for 100 full (without using autonegotiation) on both the Steelhead and the connected router or switch. These commands were used to collect system activity data which was used in system debugging.. bool) () #1 0x. change the setting back to speed 100 full duplex. std::allocator<char> >*) () #3 0x. in AbstractDriver::create_driver(AbstractDriver::DriverHeader const&. • 165217 Fixed the Steelhead's Client Authentication support feature to allow bypassing the connection when the ECDHE-RSA cipher suite was chosen..6. BufReader*.. bool*) () #4 0x. • 165253 The fix prevented the SteelHead from crashing and correctly handled connections to TCP server port 7840. in DriverInitResponse::DriverInitResponse(unsigned char. • 153178 Application Visibility process collectord crash has been fixed. This triggers a connection level bypass.0a • 130193 Fixed an issue where an interface would lose link after upgrading to 8. bool. bool*) () #2 0x.. BufReader*.5. 20 .. in Citrix::DriverStack::parse() () . and potentially a crash on the SFE due to a defect in the bypass functionality introduced in 8.• 192199 Fixed a problem that caused a crash in the optimization service when the Citrix protocol optimization component parsed the start of a Citrix connection..0.. The crash happened while parsing a Citrix client packet at the start of the connection.... These messages were observed in the system logs immediately before the crash: .. std::basic_string<char. std::char_traits<char>. After performed the upgrade. unsigned short.6. 0. FIX --Upgraded OpenSSL as used by the Steelhead optimization service process to 1. The issue was due to a memory leak while handling SMB2 read responses when 'end of file' information was invalid.0. optimization service crash at alloc().0. and 1. which allowed man-inthe-middle attackers to trigger use of a zero-length master key in certain OpenSSL-toOpenSSL communications.0.9. 1.8za. and consequently hijacked sessions or obtained sensitive information.8) to fix CVE-2014-0224. • 168159 CVE-2014-0224: OpenSSL weak keying MITM vulnerability DETAILS ------OpenSSL before 0.0.1h did not properly restrict processing of ChangeCipherSpec messages. • 166984 The fix was to program the interface to do the correct link negotiation based on the interface setting.0. The issue could have resulted in admission control.1h did not properly restrict processing of ChangeCipherSpec messages.0.1 before 1.9.0m.1h (or 0.• 165705 Fixed a memory leak issue that resulted in high memory utilization on the SteelHead. The optimization service would create an optimized NSPI connection for every TCP connection to a server TCP port 7840. or general slowness. and 1.0m.0.9. 1.9.0 before 1. via a crafted TLS handshake.1 before 1.8za for some older releases using 0. aka the "CCS Injection" vulnerability. which allowed manin-the-middle attackers to trigger use of a zero-length master key in certain 21 .0. Now only if MAPI or NSPI were enabled would those connections have received the corresponding latency optimization. Now only if MAPI or NSPI were enabled would those connections have received the corresponding latency optimization. Note: This patch also addressed the following security bugs that DID NOT affect RiOS: DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470) • 168163 CVE-2014-0224: OpenSSL weak keying MITM vulnerability DETAILS ------OpenSSL before 0. • 165809 The optimization service would create an optimized MAPI connection for every TCP connection to a server TCP port 7830 even if the MAPI feature was disabled.0 before 1.8za. This fix monitored pool connections for socket errors and removed them from the pool upon detecting an error. • 74266 When using encrypted MAPI.6. via a crafted TLS handshake. Outlook may use the SCHANNEL authentication protocol (auth type 14). which was not supported with RiOS 8. and consequently hijacked sessions or obtained sensitive information.1h (or 0.9. aka the "CCS Injection" vulnerability.html • To fix this. This patch also addressed the following security bugs that did not affect RiOS: DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-20105298) Anonymous ECDH denial of service (CVE-2014-3470) Problems fixed in version 8.0.mitre.0. Outlook Anywhere and Smartcards to provide client authentication.5. all passthrough traffic tagged with VLAN 0 now will go through. Setting the flag prevented cross-site scripting (XSS) attacks targeting the user's session cookie. In an in-path setup. See: • https://www. the Steelhead now uses the HTTP-only flag.php/HttpOnly http://cwe. With this fix special characters like \n will not be shown as #012.8za for some older releases using 0. it would get an error and destroy the optimized connection. • 62550 Browser cookies could be assigned an HTTP-only flag. This fix ensured that both Control and Data channels were chained correctly to the DPI engine.org/index. • 76017 This was fixed by replacing escape characters with spaces. • 74013 Fixed a problem where setting up an optimized connection failed due to using a broken inner pool connection. When the optimization service attempted to send data over the broken connection. • 67594 Fixed scenarios where the Data channel was not sent to the DPI engine resulting in inconsistent classification behavior. 22 .0 • 59875 Fixed issue where VLAN-tagged frames belonging to VLAN ID zero were dropped.owasp.org/data/definitions/79. FIX --Upgraded OpenSSL was used by device management to 1.8) to fix CVE-2014-0224.OpenSSL-to-OpenSSL communications. which prevented them from being accessed by scripts.9. All Steelhead-destined traffic tagged with VLAN 0 will still be explicitly dropped to keep the same behavior as before. WARN] and [sslinnerchan/SrvClosed. which would eventually cause the watchdog timer to detect the threads as unhealthy and temporarily put the optimization service in bypass. • 120746 Fixed an issue that resulted in out-of-memory condition on the client-side Steelhead leading to a crash. • 90698 Fixed an issue which resulted in crash of server-side optimization service when Smb2 blade's read-ahead was enabled. This would result in other threads being blocked while trying to acquire the lock. • 108661 Old implementation of EPM blade could not handle NDR64 transfer syntax and to prevent client and server from using NDR64.WARN] with the message Shutting down the splice: unexpected message corresponded to benign activity that occurred when SSL secure inner channel was used for non-SSL traffic. The crash was due to an update to readahead window issued by client-side Steelhead when there was no read-ahead handle on the server-side Steelhead. The fix gracefully handles this situation by stopping just the application level (layer 7) optimization only on the connection that experiences this issue. The messages have been removed.• 77601 Inadvertent WARN level messages from [sslinnerchan/CliClosed. the RBM user roles are ignored for Steelhead Cloud Accelerator features. it nulled out NDR64 transfer syntax during EPM bind.and server-side Steelheads. If multiple client-side Steelheads are deployed in a cluster. and now it lets the client and server use NDR64 and correctly handles NDR64 traffic. RBM users with DENY permissions in all roles are allowed access to Steelhead Cloud Accelerator UI pages and Steelhead Cloud Accelerator commands.0 or later. • 78637 The CLI support show ether-relay now correctly reports entries of all relay devices.6. for example NDR32 and NDR64. Buffering of write requests has now been made configurable. but some clients and servers did not like this and closed the connection resulting in disruption of service. • 113802 Fixed a problem where a lock was not properly being released in the Citrix optimization blade. The issue was due to buffering of write requests during NFS write-behind optimization. • 120103 All Outlook Anywhere connections from a client computer needed to be optimized by the same set of client. • 95504 Removed the 1 megabyte HTTP response bypass limit so that a larger response no longer triggers optimization bypass as long as both Steelheads are running 8. • 99396 Fixed an issue that viewing Alarm Status page may encounter item unexpectedly already existing errors when an IPMI alarm was triggered. the Interceptor is automatically configured to reliably select the same client-side Steelhead for subsequent Outlook Anywhere connections from a given client. • 109501 Currently. The EPM blade has been rewritten from scratch to parse and handle different kind of transfer syntaxes. The issue was resolved by disabling it by running the below CLI command on the client-side Steelhead: 23 . 0. IPv4 addresses are displayed in the x. • 129534 This fix restores the original behavior of the upgrade script. • 127332 The file <type> upload <file name> command can now be used without additional parameters to upload to the Riverbed support site. resulting in the Steelhead storage controller getting into a FAULT state and the appliance becoming unresponsive.x dotted quad notation. Some log messages prepended ::ffff: to the IPv4 address. If it is disabled. • 122882 Fixed an issue where IPv4 addresses were sometimes incorrectly formatted in log messages. • 128149 Fixed a Linux kernel jiffies overflow problem on 32-bit Steelhead which might have led to a kernel crash when Inbound QoS was enabled. with the client-side Steelhead containing this fix. With the fix. such as applying QoS to primary interface. The file upload stop command is now available to stop an in-progress upload. the upload now has an error indicated in show uploads.0. ::ffff:10. • 127119 Added a mechanism to stop uploads of diagnostic files in progress. Codec flow control is enabled by default. • 127721 When a URL without a trailing slash is used to upload dumps to a directory (rather than a file in a directory) on the server.1.x. The fix works around the problem by monitoring the state of storage adapter and hard-resetting the adapter if it is stuck in the FAULT state.x. • 124033 Object Prefetch and Stream Splitting feature code was updated to cache responses containing "Vary: Accept-Encoding".0 or later releases. An additional parameter may be given to specify a Riverbed support case number or (to get the old behavior) a URL to upload to instead of the Riverbed support site. if no Content-Encoding is present in the response. This could result in failures of activities depending on the link state. This behavior was enabled by default and can be toggled using the following CLI command: '[no] path-selection settings ttldecrement enable' • 126135 Fixed an issue where certain SMART query triggered a bug in a SSD with certain versions of firmware. Codec flow control must be enabled on both the Steelheads for the fix to be effective. • 125506 Enhancement to reduce IP TTL value of passthrough packets when such packets are steered by path selection.• no protocol nfs buffer-wrt-reqs enable Note: Client-side and server-side Steelheads must be running on RiOS 7. e. it can be enabled with: sport codec flow-control enable. 24 . • 121070 Fixed an issue where link state of primary interface was not properly reported on a Virtual Steelhead.g. • 136892 Fixed an issue where packets of passthrough flows not subjected to path selection and were fragmented if they were larger than the in-path interface MTU. 7055M/H). and resulted in performance and stability issues. an alarm is raised indicating that the WAN bandwidth is greater than the detected link rate. Fix involves handling of unchained responses to a single chained request on the server-side Steelhead. If the interface is down. and improved OPT caching policy. the failed disk was not offlined. The permissions on the mfdb file were set incorrectly. • 135942 This fixed a bug in the decoder that triggered an optimization service crash when handling corrupt packets. • 134683 Fixed an issue that affected file access on NetApp ONTAP 8.1. • 136288 Added checks to avoid accessing invalid information that could cause the optimization service crashes. a certain load was not evenly distributed among the available cores on models with an SDR card (7050M. • 135268 This bug fixes the mdadm crash issue when reassembling raid disks where one raid element is missing.0. The issue existed only when Path Selection is enabled. so login failed. • 137696 Fixed an issue where with 8.2+ clustermode filer due to timeouts. The fix ensures that sport gracefully handles corrupt packets by attempting recovery and closing the connection if recovery fails. Fix involves corrections in handling of failure of names encode and decode operations.x software. and might trigger CPU utilization alarms under certain traffic conditions. • 130630 Corrected incorrect memory usage calculation for HTTP optimization that led to new responses not being cached. • 133206 Removed the restriction that an interface must be up and connected in order to configure the WAN link rate and enable QoS on it. Current sdh: sense key Medium Error kernel: Additional sense: Unrecovered read error • 137589 The fix improves the connection information retrieval. which is not allowed anymore. 25 . • 135671 Fixed an issue where 'show running-config' command was displaying the mask length for snmp-server command with / prefix.• 130281 Fixed an issue that resulted in optimization service crash on the client-side Steelhead at sunrpc::ServerCacheList::add_extent(). and caused the disk continue to be accessed. • 138208 Strengthened security around Riverbed customer support diagnostic access. preventing these users from reading the file during login. as well as logs like: kernel: Info fld=0x23. • 137215 Fixed an issue where some disk failures were not handled properly. • 130991 Fixed an issue that prevented RBM users and the monitor user from logging into the CLI. • 139239 Fix to ensure that DNS lookups do not happen on every request to discover the Key Distribution Center. With this fix. The crash occurred when LeaseBreakNotification on a connection did not acquire proper lock before updating lease state on another connection to which the lease belonged. In turn if the disk I/O becomes unresponsive and sdr-a-a is disabled. the active-active sync feature can overflow the system with read/write disk requests to a point where the Steelhead runs out of memory. • 138773 Fixed an issue where a Citrix user reconnecting to a session using Session Reliability saw the reconnect hang when MultiPort optimization was in use. The user might have seen a stalled progress bar and the message Connection in progress and the client-side Steelhead appliance might have showed a protocol error indicating misconfiguration of inner SSL. However the disk pressure mechanism is enabled only when sdr-a-a is enabled. raises an alarm. and passes through all connections. failing to stop the optimization process would cause traffic to be blackholed. • 139973 Fixed a problem where the optimization process would not stop despite encountering an irrecoverable error. Steelheads now properly optimize these connections. thereby avoid blocking on disk I/O when the system is under heavy load.• 138278 Fixed an issue that resulted in crash of client-side optimization service in Smb2 blade. thereby reducing the overall number of DNS requests. the Steelhead now use the cached value. 26 . • 139798 Fixed a database corruption triggered by a configuration switch. • 140087 The active-active sync feature did not check for memory pressure when replicating traffic and only relied on the read/write disk pressure mechanism. The issue was resolved by delaying the Citrix MultiPort inter-Steelhead packet until the inner SSL setup is complete. • 139311 Fixed the formatting of the reports from 'show connections' and 'show flows' CLI commands to make them consistent with each other. For certain errors involving the inpath interfaces. Once discovered. the optimization process was supposed to stop itself and pass through connections. This issue was caused by interference of interSteelhead packets for Citrix MultiPort optimization and inner SSL optimization. • 138418 Fixed an issue by removing un-needed access to disk file that checks for the current log level. the optimization process stops. • 138610 Fixed an issue where an encrypted Outlook Administrator account could fail to connect to Exchange when Steelhead MAPI multi-context support was enabled. When an irrecoverable error was detected. • 139999 Reporting has been made consistent. 0 did not properly match the path domain when sending cookies. The fix was to handle a case correctly when server could respond with status pending for notify request in a chain of Smb2 requests. 27 . • 140269 Upgrade to 8.• 140186 Fixed the interpretation of Citrix Client Drive Mapped file transfer packets from a Citrix server to a Citrix client that could result in a file corruption. This fixed a crash in the optimization service resulting from packet corruption on the WAN. but the server-side Steelhead would fail to find the correct out-of-band connection for all but the first interface on which it received a connection. this fix addresses the case where the packet length was incorrectly set to 0. and ensures that the affected connection is terminated gracefully. • 140542 Fixed an issue that caused ICMP fragments to be dropped in a WCCP deployment. When the server-side Steelhead failed to find the out-of-band connection. which allowed remote attackers to steal cookies via a matching suffix in the domain of a URL. The fix helps avoid the crash. • 140532 The interrupt vector assignment algorithm has been changed to avoid assigning interrupts being used by RSP. • 140940 CVE-2013-1944: cURL cookie stealing vulnerability in tailmatch.30. FIX --The curl package has been upgraded. so no connections would be optimized over the problematic interfaces. • 140743 Fixed an issue where the optimization service aborted because of packet corruption on the TCP connection between Steelheads causing zero length esc packets. Steelhead Mobile clients were unable to accept connections. In particular.0 release disables Skipware Legacy Compression as a default behavior. The same issue can occur on client-side Steelheads that are behind a NAT device. This occurred when certain kinds of files were transferred from the Citrix server to the Citrix client during an optimized Citrix session with CDM latency optimization turned on. • 140790 Fixed an issue where Steelhead Mobile clients optimizing connections to multiple interfaces on the same server-side Steelhead would fail to optimize connections on certain interfaces but not others.5. it would attempt to initiate an out-of-band connection with the Steelhead Mobile client. • 141017 Fixed an issue where transfer of file stalled when Smb2 optimization was enabled. The Steelhead Mobile client would create an out-of-band connection for each interface on the server-side Steelhead. DETAILS ------The tailMatch function in cURL and libcurl before 7. This error occurred with file sizes that are 1 to 11 bytes larger than an even multiple of 4096 bytes. the fix only works if the Branch Steelhead and Datacenter Steelhead use the same non-default probe TCP option.• 141024 Fixed a bug where the Steelhead incorrectly assumed high memory pressure and throttled the traffic. • 141432 User inputs were escaped before returning it to the web client. This ensures that data from different servers on the same host are differentiated. when the MAPI connection has not been fully set up prior to pre-population. • 141467 Fixed a problem where a Steelhead responded to its own auto-discovery probe in rare cases where the probe packet was sent back to it from a connection forwarding neighbor. the Steelhead can continue to use the non-default probe TCP option value to peer with other customer Steelheads and it also peers properly with SCA Steelheads. Previously this was indicated by a binary flag value and has been updated to readable text. This information may be helpful to diagnose failures of the SDR accelerator card. 28 . • 142434 Provides more details in the log when the error deflate failed: -2 stream error occurs while using the SDR accelerator card. In direct-branch SCA mode. In backhauled mode. • 141980 CWE 400: A Fix was added to close an unbounded resource consumption vulnerability. DETAILS ------It was possible to control the image dimensions for the optimized throughput graph generated by the application. • 141793 Fixed an issue where optimization of SaaS connections through Steelhead Cloud Accelerator (SCA) would not work if the TCP probe option configuration was set to any value other than its default of 76. • 141892 There is an INFO level message generated for each HTTP connection that indicates what optimizations are configured. This crash was observed if MAPI pre-population was started on a connection. • 142473 The fix adds the port number to the OPT cache key. • 141276 Fixed a problem where a counting error on the server-side Steelhead appliance during optimized Citrix Client Drive Mapping transfers from the client to the server could cause memory corruption which frequently caused a failure of the optimization service. • 141368 The client-side optimization service could crash during MAPI pre-population. FIX --Limits were placed on the dimensions of the image to prevent exhaustion of resources. • 143807 Fixed the issue where no warning was given before shutting down for hardware spec upgrade. opens a file without acquiring the necessary Oplock. • 144217 The optimization service could crash if the first two Outlook Anywhere connections were optimized within a very close timespan. tail: 14 2a is a duplicate REQ • 144134 Fixed a kernel panic that could occur in a virtual in-path deployment and when RSP was enabled if RiOS generates fragmented packets. • 143378 Cleaned up the old web certificates which prevented any future certificate generation and importation. A warning has been added now.• 143118 With fix. especially Microsoft Office.11. Fixed an issue where KRB5KDC_ERR_POLICY could result in connections getting blocked for Encrypted-MAPI or Signed-SMB.11. This would more likely happen when packet-mode optimization was in use and fragmented packets were transported though other cases involving fragmented packets going out of the inpath interfaces could trigger the issue.207:49935 10. • 143386 Fixed an issue that caused intermittent issues during file opens. • 144300 Added support for DPI classification of Microsoft Lync traffic in QoS and Path Selection rules. A log message like the following may indicate that this problem has been experienced: [/citrix/sfe/parser WARN] {10. the Steelhead advertises correct number of IPv6 addresses to connection forwarding neighbors. Improved handling of multiple connections that share the same data and that led to high CPU followed by a crash because the Steelhead detected some loop condition. • 143790 Fixed problem where PFS/RCU may fail on 32 bit platforms. The issue occurs when an application.63:1494} S Req: 03 00 14 00 00 e0 02 00 00 10 . • 143202 Fixed a rare issue where a Steelhead could experience poor performance and log an error that included the text maybe_reset_inpath_interfaces after an upgrade.. 29 .0. • 144144 Fixed an issue where Encrypted-MAPI or Signed SMB connections could get blocked when using Kerberos and the KRB5KDC_ERR_POLICY error was seen. • 143569 Fixed a rare condition where the optimization service failed when scaling to more than 100K connections. • 144064 Fixed a problem with Citrix client mapped drive optimization where duplicate requests for the same file offset were ignored which could lead to incorrect data being delivered to the Citrix server. and a 'confirm' flag is needed to complete the action.141. The fix results in a connection being blacklisted instead. • 143422 Addressed the handling of "show packet-mode" command that leads to CLI crash in debug mode. too. misclassification may occur if the ICA rule is moved from the 1st position in the rule list. • 144568 When a QoS rule is configured to classify Citrix ICA traffic based on perpacket ICA priority values. • 144470 Fixed an issue where the CLI command 'reset factory keep-mgmt-ip reload' would cause the box to reload with the messages An internal error occurred and the system would fail to respond. DETAILS ------The svc_dg_getargs function in libtirpc version 0. The CLI starts up with the initial wizard. Note: This issue is not applicable to Steelhead versions 7. • 144856 Fixed an issue that ensured temporary credential caches got destroyed correctly to prevent Kerberos Tickets from leaking in delegation mode when performing cross domain delegation.3 and earlier. The issue caused packets belonging to a CITRIX connection. 30 . • 144793 CVE-2013-1950: libtirpc rpcbind remote denial of service. The Steelhead now successfully reloads with factory configuration keeping mgmt ip intact. allowed remote attackers to cause a denial of service (rpcbind crash) via a crafted request.g. • 144491 This fix corrects an issue where the CLI show interfaces command did not display all the interfaces after another interface (e. • 145214 A race condition with Kerberos authentication against Windows Server 2008 R2 with password replication policy enabled was fixed. SMB2/3 and MAPI. and carrying a non-null CITRIX ICA priority tag. • 144796 Fix is to unlearn the invalidated URL so that the Steelhead does not repeatedly drop connections to the base page. • 144472 Updated the Mouse-over help texts for authentication types for SMB.0 and lower FIX --This issue has been fixed by patching libtirpc for CVE-2013-1950. • 145194 This fix disallows to add recursive IPv6 routes and default gateways for inpath interfaces.• 144397 Fixed an issue that occurred when CITRIX blade was enabled and QoS disabled. This could result in the packets being dropped by an intermediate device in the network. • 145211 Fixed an issue where the LAN interface MAC address instead of the WAN one could be used as the source MAC address for the outbound packets when the Steelhead was in virtual in-path mode. • 145027 Fixed a minor issue that would result in Unexpected NULL error messages reported in the logs and that did not impact any functionality. mgmt0_0) was disabled. to be marked with the ECN field in the IP header set to CE (binary 11 or Congestion Experienced).2. the CMC Appliance Details page can list all the RiOS 8. Optimized Lotus Notes connections where the client or server has a key smaller than 630bit were being dropped. changed the DSCP select list for QoP paths from Inherit from Application to Inherit from Site to provide more clarity. • 145593 Fixed an issue where the minimum key size of 630bit for Lotus Notes Encryption optimization was not being enforced. • 145605 On the Site Edit pane in Basic QoS setup.5.0 systems. 31 .• 145368 With the fix. 9. • 145884 CVE-2013-4854: BIND malformed RDATA remote Denial of Service (DoS).9.4b1. • The issue exists because of the way we were handling WAN visibility mode settings on middle Steelheads (Its independent of what WAN visibility mode is set in the inpath rule). which causes the OOM memory manager to kill sport. show in-path conn-hard-limit config see the set value in the config db. This command is preferred over the one specified below.8. • 145858 In a serial cluster optimizing IPv6 traffic using enhanced auto discovery. This feature is disabled by default.8. 32 . DETAILS ------The RFC 5011 implementation in ISC BIND 9.3-S1 before 9. in-path conn-hard-limit disabled disable probe splice limits show in-path conn-hard-limit state see the set value as seen by intercept.x before 9.3-P2. and 9.x before 9.8. This could result in out of memory conditions which could lead to crashes of the optimization service. the main Steelhead process. 9.9.9.x and 9.5-P2.4-S1b1. 9.• 145611 The issue here was that if a server side steelhead received too many SYN packets for a client server connection through a client side steelehad.3-S1-P1 and 9.3-P2. might experience an optimization service crash.9. if we run into admission control on the first steelhead. and configures it automatically based on connection threshold and admission control limits. to enable it. This fix addresses this issue by limiting the number of connection a server side steelhead will try to optimize when flooded with SYN packets.9. • 145834 In Basic QoS mode. • 146050 Fixed a bug where excessive amounts of memory are allocated when transferring large files via Citrix Client Drive Mapping. and DNSco BIND 9. do not let the sum of site bandwidths exceed the configured WAN bandwidth.6b1.7. its possible that the second steelhead. • 146220 Improved the performance of deleting multiple QoS classes from the GUI. allowed remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that was not properly handled during construction of a log message. FIX --BIND was upgraded to 9.9. This is in case the sysctl and config db go out of sync for any reason. which is supposed to take over the optimization duties. the server side steelhead might run out of memory. use the following command: in-path conn-hard-limit auto enables probe splice limits. DETAILS ------mod_session_dbd. there is a new Path Selection table. when clicked. show further details for that path. in a given connection's detail pane. which appears when Path Selection has been used by the given connection. These changes could facilitate the fixed target IPv6 inpath rules and single ended optimization with IPv6 use cases.6 and unused modules on the Steelhead were removed. 33 . • 147302 Applied a fix. • 146624 Resolved a multi-threading issue with the SSL connection bypass table. • 146316 The protocol connection * suite of CLI commands is expanded to accept both ipv4 and ipv6 addresses. FIX --The Apache httpd daemon was upgraded to 2. a QoS configuration update causes the following log message: QoS: writing tc commmands to stdin err Broken pipe.• 146237 Optimization process will no longer crash when this scenario occurs during active MAPI acceleration.5.4. • 147162 Fixed the counter overflow problem on 32 bit platforms that prevented simplified routing entries update. • 146370 Fixed an issue in RiOS 8. • 147466 On the Current Connections page.4. • 146796 CVE-2013-2249: Apache HTTP mod_session_dbd module unsafe save operations. • 147495 This change extends the range of disks recognized by the vSH on Hyper-V. which had unspecified impact and remote attack vectors.0 where when an interface is connected but QoS shaping is not enabled on that interface.c in the mod_session_dbd module in the Apache HTTP Server before 2. such that after a hardware upgrade the QoS bandwidth limits are automatically updated and a reboot is not required for them to take effect.5 proceeded with save operations for a session without considering the dirty flag and the requirement for a new session ID. • 146853 Fixed an issue with the RTT calculation logic in RiOS that caused incorrect and extremely large values to be exported in Netflow records for connections that use transparent mode for inner connections. Named paths have magnifying glass icons that. for example. show hardware licensing info showed a DIMM with size 128MB or unbranded.6 through 3.509 certificate. or encode user input before returning it to another user’s web client. This was specific to the admission control handling of MAPI connections if special handling of MAPI connections under Admission Control was enabled. 34 . through bookmarking of a carefully crafted URL -. • 148238 This fix hides TCP Congestion Algorithm and outer channel IP address for SHM connections since there is no WAN section and outer channel IP address for the connections between SteelHead Mobile and Client Side SteelHead. • 147895 Fixed an issue where the message No nic configuration file found will appear too frequently. Web UI forms can now only be submitted with the POST method.6 RPM with patch for CVE-2013-4238. filter. FIX --Fixed an XSS vulnerability on the EX platform's Software Upgrade page • 147765 Fixed insufficient memory error for small 32bit boxes.755. • 147949 Fixed the issue where the optimization service could crash when Steelhead entered Admission Control and had optimized MAPI connections. For models 250. Also.match_hostname man in the middle arbitrary server certificate spoof attack.• 147685 CWE-79: Cross Site Scripting (XSS) Vulnerability on the EX platform's software upgrade page.could result in race conditions. which allowed man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.555. denial of service and security check bypass. • 148135 Replaced certain verbose HTTP 500 errors with generic ones. • 148017 CVE-2013-4238: Python ssl. This is fixed by upgrading to a newer version of the BIOS. DETAILS -----Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate. • 148200 Forms submitted using a GET method instead of the standard POST -. This message no longer appears at the INFO level and only appears at the DEBUG level. the machine might show an error saying Insufficient memory to sustain current model. FIX --Upgraded Python 2.match_hostname function in the SSL module in Python 2.4 did not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.550. DETAILS ------The ssl. • 148943 Enabled decrementing time-to-live (TTL) for such packets by default. DETAILS ------Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate. • 149904 Fixed an issue with the QoS feature that did not work on the AWS Cloud Steelhead. • 150257 Removed RiOS internal state information from the output of the CLI command 'show path-selection path * state'. • 149892 Fixed a regression in RiOS 8. log message so that the unsupported cipher suite is correctly printed.• 148660 Fix was made to properly classify DPI applications that rely on the port map in the DPI library. 35 .. • 148964 CWE-79: Cross Site Scripting (XSS) Vulnerability in management UI log display page. filter. when configuring QoS. • 150222 Fixed an issue with the handling of small requests and responses for optimized exchange traffic. This did not affect ESX Cloud SteelHead. • 148816 Fixed a Cipher suite .5. FIX --Values returned in the UI log display page are escaped. • 149549 Fixed memory leaks in the management process. • 149926 Fixed problem where web rest-server enable caused the web server to stop responding. Previously. an error saying that the primary link is not up or that the link speed is lower than the configured wan link rate would show up. • 150258 This fix addresses a page allocation failure with backtraces which may have been seen when a sysdump was initiated. This issue was due to large memory allocation attempts while displaying tcp socket details using networking tools like netstat -al. This happened only when the Steelhead had lots of fragmented memory. is not supported. or encode user input before returning it to another user’s web client.0 where the Filter by: Regular Expression filter criterion for Current Connection was no longer available. • 149174 Fixed parsing logic to correct the statistics reported by CLI command 'show path-selection paths stats'.. we scan the QoS configuration. Server and probe caching features must be disabled. • 151073 The fix in RiOS kernel gracefully handles the rare condition to prevent service disruption.ERR]: Failed parsing paths config proc entry • 150449 Fixed a problem in validation of the SSL proxy certificate against the host name presented in the SNI. • 150401 Fixed the logic that causes the following error message to be logged when there is no functional impact while executing the CLI command 'show path-selection path * state': [mgmtd.5.google. detect the corrupted QoS configuration and fix it automatically. A specific example would be a bypass for www.• 150358 The issue arose because internal tables on the Steelhead which store the perflow direction value were not updated correctly.6. • 150957 Fixed an issue with the http optimization service which was dropping the beginning part of request data if bypass condition was hit when parsing the http headers split in more than one tcp frame. These issues are now resolved.5.0.0 inaccessible when RiOS is upgraded to 8. This validation would erroneously fail if the proxy certificate used wildcard characters. • 150592 Fixed an issue where anonymous logons for CIFS-SIGNED connections are now correctly handled in NTLM-Delegation mode as opposed to getting blacklisted.0. • 151006 The fix gracefully handles the Outlook user reconnect and MAPI prepopulation session close.com if the proxy certificate contained *. This has been addressed and with the fix. • 150743 When upgrading to RiOS 8. 36 . • 150669 Fixed an issue that caused PFS local mode shares created pre-7. • 151160 Implemented DSCP transparency feature to preserve the DSCP value from end-hosts to all outer and inner connection packets when full-transparency mode is used.0. • 150483 Fixed a problem where emails reporting /bin/sh: /usr/lib/sa/sa1: No such file or directory may be sent from 32-bit appliances running RiOS 8.0. the value of the biFlow direction for each flow is consistent through the lifetime of the flow. • 151146 Due to a complex coding issue there are times when the Citrix DSCP markings are incorrect.com Code was updated to correctly handle such wildcards.google. This caused the QoS t always be disabled on Virtual Steelhead for Hyper-V. The fix is to appropriately handle the state of request upon being cancelled and not treat it incorrectly as a pre-acknowledged request. if the CRLF following the chunk length and the chunk length were split in two different tcp packets. The TCP socket error is now handled correctly. • 151682 Fixed an issue which caused client side optimization service to crash when smb2 optimization was enabled and a request inside smb2 compound request was cancelled by the client. • 151920 Fixed a problem that caused a crash while processing HTTP requests using chunked transfer encoding. • 151633 The fix is to do a complete cleanup of specific data structures involved in the Find operation in Sport when a SMB2 Find Operation is cancelled by the client. after a machine reboot 37 . • 151873 This fix adds SaaS platform name for pass-through connections which go through Akamai when SaaS is supported and enabled.. • 152280 This fix temporarily removes SMB2 Find prefetches on encountering a compound request containing a Create request and an unsupported find request. source port.-} Error reading from socket Unknown error were printed when handling a premature endof-stream TCP socket error. timestamp=. • 152046 Fixed an issue where the passthrough reason reported for failed terminated connections from Granite is misleading. and the log message states that an end-of-stream error occurred.. This fix now adds in that component. • 152250 On the Steelhead with double interception. destination IP and destination port.ERR] 0 {.• 151284 A component required for QoS was missing in the Hyper-V interface driver. • 151875 The fix ensures that the state in the Steelhead required to intercept the proxied MAPI connections is not lost unexpectedly. This fix adds support to display these connections together in CLI. User can see the SaaS platform name in the show connection details report. • 151418 Fixed the SSL optimization module selection logic. • 152628 Fixed a bug that caused the console dump process to repeatedly display the same outdated message localhost kernel: con_dump: restoring oops message. there are maybe two connections with same source IP. • 151461 Fixed a problem where log messages stating [ping/client. IN CLI. • 152447 This fix treats report settings as non-configuration changes so that they are not reported as configuration changes and no SNMP trap is generated. • 151943 Code has been corrected to properly generate the required ICMP fragmentation needed when a packet is dropped due to inpath MTU setting. Previously. • 152965 Fixed an issue where the Steelhead might crash when Steelhead Cloud Accelerator was optimizing O365 outlook client connections.lock. and hence high memory pressure. thus relieving memory pressure. The fix is to let the interim response reach the client and have the rest of chained responses sent to the client when complete chain is received.dstport == 139) • 152793 CVE-2010-5107: OpenSSHv6. 38 . certain requests cached by the MAPI connection tracker were only cleared when all the connections between a particular client-server pair terminated. Process to identify if a slowness issue is due to this bug: if the below wireshark filter applied on server-side Steelhead LAN trace shows one or more packets. which made it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. As a result.flags2.• 152667 Fixed an issue that resulted in performance issues with CIFS clients.x C-mode.dstport == 445 or tcp. The issue occurred when the server was NetApp ONTAP 8. added MaxStartups 10:30:100 to sshd_config file. as soon as all the connections belonging to that particular association group have terminated.cmd==36) && !(smb.string == 1) && (smb. the per association group cleanup is done. in certain environments. • 152861 Fixed an issue which caused server side optimization service to crash when Smb2 optimization was enabled and an interim Notify response came from server before rest of the chained responses. The interim response was held back at SFE causing failure in processing rest of the chain responses.2P3. The crash stack dump lists CodecHandle::~CodecHandle().1 enforced a fixed time limit between establishing a TCP connection and completing a login. The crash might occur on a heavily-loaded Steelhead due to an invalid pointer access triggered by a new Outlook optimized connection creation. • 152827 Resolved the issue that triggered the admission control in SH due to memory pressure. Microsoft Office applications were particularly vulnerable for slowness.type. only for releases prior to 8.oplock_release == 1) && (tcp. This enables random early drop as described in the sshd_config man page. FIX --To reduce the risk of denial of service attacks described in CVE-2010-5107. DETAILS ------The default configuration of OpenSSH through 6. With the current fix. this was leading to an increased memory usage. • 152903 Fixed a memory corruption issue in CIFS blade that caused crash of optimization service. then it's a match for this bug: (smb.1 fixed time limit connection slot exhaustion DoS. and patched OpenSSH to have that be the default. • 153653 Fixed an issue where un-canceled timeout events in the optimization service's event-system could result in crash • 153762 CVE-2013-4348: skb_flow_dissect remote Denial of Service via IHL with IPIP encapsulation. The fix ensures the correct handling of this scenario. This was due to an unexpected HTTP request that was supposed to result in a connection drop. but due to a bug in the error message formatting. • 153272 Fixed an issue where O365 webmail connections through Steelhead Cloud Accelerator might fail when Steelhead and Interceptor were deployed on the clientside. This issue occurred when Steelhead tried to apply cloud acceleration to connections that were RiOS passthrough. FIX --The kernel has been patched to mitigate CVE-2013-4348 39 . The feature provides better control and auditing of users with privileged access levels. • 153148 Resolved a service crash that could occur in rare cases after an HTTP request parse failure on the server side Steelhead. • 153482 The issue occurred in the MAPI component when the client side Steelhead was waiting for the encryption key from the server side and a request came on the same connection without any authentication context.12 allowed remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. which was its default behavior. • 153328 Correctly handle Kerberos Authentication Protocol requests without an authenticator subkey to prevent a potential sport crash while performing kerberos decryption. • 153424 New feature: A new sys_admin RBM role allows users full administration access. • 153504 RBM users may use tcpdump if they are given that role with read-write permission. Now if the http module receives any message from the server after the end of connection we drop the connection • 153113 Fixed an issue where continuous logging hung up the UI when too many requests were active at the same time.• 153086 The optimization service crash was seen because the http module was trying to cleanup some internal state which was already cleaned when we received end of connection from the server. DETAILS ------The skb_flow_dissect function in net/core/flow_dissector. including changing users and RBM permissions without being logged in as Admin. it resulted in a crash.c in the Linux kernel through 3. • 154630 Fixed an issue where an empty inner connection pool would fail to repopulate pool connections to the peer Steelhead if the last connection in the pool was removed due to an error. which allowed man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.32.0 through 7. which provides an additional layer of protection against cross-site scripting vulnerabilities. 40 . • 154358 Fixed an issue where the following message might appear in the log on systems with a certain type of eUSB device: Let scsi_cmnd (1) abort. the connection pool will repopulate the next time an optimized connection is created for the peer Steelhead associated with that connection pool. With this fix. FIX --Applied patch to cURL for CVE-2013-4545. usb 2-5: reset high speed USB device using ehci_hcd and address 2 • 154410 The Web UI now sets the X-Frame-Options header.5. • 154295 Fixed the shutdown code that would prevent the optimization service crash when MAPI pre-population was being closed. The outstanding requests are now serialized to ensure correct behavior. when built with OpenSSL.• 153763 Fixed an issue when handling multiple outstanding authentication requests on a single MAPI connection. • 154203 CVE-2013-4545: cURL man in the middle certificate spoofing DETAILS ------cURL and libcurl 7.18.0. The fix preserves acknowledging VERIFYHOST when VERIFYPEER is disabled • 154252 Fixed an issue where the Gratuitous 401 responses to HEAD requests from the client-side Steelhead included the message body resulting in parse failures and thereby dropped connections.0. • 154090 Fixed memory leak issue introduced due to libxml2 library upgrade in RiOS 8. disabled the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) was disabled. • 154199 Fixed an issue where SMB3 port 8781 would not be listed among list of Monitored Ports. • 154094 Fixed an issue with the dns interface cli command where the warning Unable to find header for reverse mapping block would appear in the system log. 5. • 154696 Fixed an issue where deleting a QoS rule could corrupt another rule. • 154811 Fixed a bug found in HFSC upper limit service curve which caused a lot of packets being throttled incorrectly and CPU utilization to be high. has been fixed to be shown as Cluster Neighbor Incompatible.c in OpenSSL before 1.6 or lower.• 154671 The version incompatibility alarm between connection forwarding neighbors. Clients would issue a request and it would appear as if the server weren't responding.2 obtained a certain version number from an incorrect data structure. 41 . causing it to pick up the paths specified in the rule below it. which allowed remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1. • 155001 Fixed an issue where server side Steelhead running RiOS 8. • 155336 Fixed an issue where the /var partition became full after collecting Application Visibility stats. The system dynamically scales back granularity thresholds when low partition space is detected. when multi-inpath support was enabled. Corrections to the parsing code have resolved this problem.2 client DETAILS: The ssl_get_algorithm2 function in ssl/s3_lib. • 154763 Fixed a bug that was caused by certain bulk qos configuration changes which only happened when the changes were pushed from CMC or due to a config DB switch. • 155648 CVE-2013-6449: OpenSSL ssl_get_algorithm2 version number remote DoS using TLS 1.0.0 where the first request of an Oracle Forms connection was incorrectly interpreted and being blocked. FIX: This issue has been fixed by patching the OpenSSL library to fix CVE-2013-644 • 155751 A problem was introduced in 8. • 155260 Fixed an issue that prevented secure peering when optimizing snap mirror and SRDF traffic.0 or higher dropped CIFS pre-pop connections initiated by the client side Steelhead running RiOS 6.2 client.5.5. 0. CVE-2013-6449. CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context interference.2.1f to fix CVE-2013-4353. CVE-2013-6449.• 155783 CVE-2013-4353. CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context interference FIX: Upgraded OpenSSL to 1. The log message now prints the IP address of the local interface associated with the OOB being disconnected. • 155913 Fixed a problem where the local interface IP address was not correctly printed when the Out-of-Band (OOB) connection was disconnected. FIX --OpenSSL was upgraded to mitigate CVE-2013-4353. • 156010 Fixed an issue where unsigned CIFS connections got blocked due to a regression. CVE-20136450. 42 . CVE-2013-6450: Openssl cumulative security update. • 155830 Fixed NT_STATUS_REVISION_MISMATCH during replication to some Windows 2003 R2 and Windows 2012 R2 servers caused by unsupported Bind response lengths. CVE-2013-6449.5. • 155950 CVE-2013-4353. Log messages for Resetting state for oob splice would sometimes print the IP address of a different local interface than the interface on which the OOB connection was established. Unsigned CIFS connections continue to get latency optimized as in pre8. CVE-20136450. DETAILS ------Openssl cumulative security update for CVE-2013-4353: TLS record tampering. CVE-2013-6449. CVE-2013-6450: Openssl cumulative security update DETAILS: Openssl cumulative security update for CVE-2013-4353: TLS record tampering. • 157351 Fixed an issue which caused crash of client-side optimization service when Smb2 blade was enabled. then every 24 hours after that. For a certain sequence of request commands in an SMB2 packet sent to the server. and the sync operation was marked as failed.{. • 157317 Mismatch between milliseconds and seconds in time conversion was causing period between SCEP certificate renewal checks to be 1000x longer than expected. then every 1000 days after that. irrespective of whether it succeeds or not. the SMB2 optimization module on the server-side Steelhead failed to do error checking on the response. • 156358 The optimization service (sport) could crash due to excessive buffering of packets. Certificate was checked ~17 hours after initial startup. Crash occurred when the client reused a lease on a connection while the lease preexisted from another closed connection. • 157319 Fixed an issue where connections from Steelhead EX RiOS to Granite core were not optimized and the following error messages occurred in the Steelhead syslog: [intercept.-} ioctl 0xc0c87a06 (z . Fix involves clearing action pointer when encode or decode operation completes. resulting from slow response to growing memory pressure on a steelhead. A notice level log that attempted to access the parser from the closed connection led to this crash.6) failed: Invalid argument. which was not desirable. • 156487 Path Selection Path Down alarm emails didn't show which path was down. The fix is to get rid of that reference to closed connection in the notice level log. • 157120 Fixed an issue that caused server side optimization service crash at Smb2::ChainSplitterQueue::update_lease_create_response().ERR] . The fix to this bug treats these errors as non-critical and avoids retries. Corrected time conversion so checks occur 1 minute after startup. • 156897 Fixed an issue where SNMP did not listen on Mgmt In-Path interfaces. • 156432 Fixed an issue that resulted in optimization service crash on the client-side Steelhead at NamesDecoder::handle_event(). 43 . This caused the sync operation to retry after 5 minutes. The fix involves addition of response error checks. This fixes the issue by detecting memory pressure in advance and throttling traffic.• 156286 CIFS prepop sync operations that exceed max sync time or max sync size were cancelled. Path down alarm emails now list out the name of paths that are down. A synchronization problem between peering Steelheads was introduced in 8. • 157931 New feature: the SSH server's allowed message authentication code (MAC) algorithms may be configured using the ssh server allowed-macs CLI command. hmac-ripemd160. This issue only occurred if the user's expired password was blank. RIOS would cease latency optimization if an early response was detected. • 157716 Before the fix.com. The extra data would have been interpreted by the server as a Bad Request. Other MACs that may be enabled are hmac-md5. and hmac-sha2-512. The fix involves making sure that the file handle exists when an SMB2 Find operation is cancelled. The default setting is to allow hmac-sha1. While the MAPI optimization would continue without issues. this should not happen!. • 158423 Fixed a race condition that existed when the path selection feature was enabled and the Steelhead received ICMP packets that would cause failure of ……………………the path-monitoring daemon.1 (June 2000). • 158279 The Steelhead optimization service could print a warning syslog message like enable_callid_renumber() called more than once. • 158343 Fixed an issue that caused mgmtd in FIPS mode to crash while processing a user's password change. and when prompted to enter this old password the user entered a non-empty value. hmac-sha2-256. before attempting cleanup of specific data-structures. • 157553 Fixed an issue in RiOS kernel that caused a kernel panic when a SYN packet of a transparent mode inner connection that originated at a Steelhead which was also a connection forwarding neighbor was processed.• 157539 The OVA package has been updated to add support for older hosts (older than ESXi 5. • 158139 Fixed an issue that caused the pathSelectionPathDown SNMP trap reported instead of pathSelectionPathDownClear when path down alarm cleared. hmacsha1-96. and hmac-md5-96. which has been available in OpenSSH since version 2.5.0). The issue has been resolved. we have fixed the underlying condition that triggered this message. 44 .0 where a few bytes of internal routing data were appended. The show ssh server allowed-macs CLI command shows the current setting. [email protected]. • 157540 Fixed an issue that resulted in client-side optimization service crash originating from Smb2::ClientParser::request_cancel_hook(). • 159437 The truncation is fixed and the correct number of connection is displayed. • 159010 Fixed a race condition in RiOS kernel that may have caused a kernel panic when disabling the path selection feature.) When this happened. • 159533 FTP blade was unable to handle EPSV mode responses that used a nonstandard delimiter.6.10p6 and sudo 1. causing the client-side Steelhead Asymmetric Routing alarms to be triggered. • 158818 CVE-2013-1775: sudo authentication bypass via system clock and user timestamp reset.7.g.8.0 through 1.0 through 1. This was due to some mishandling in the defragmentation logic for such packets.redhat. but more likely to happen with Interceptors. and RIOS failed if any other character was used.6p6 allowed local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch FIX --Upgraded sudo RPM as described in https://rhn. Relaxed parsing code to allow for legal delimiters per RFC 2428. the SYN-ACK packet from the server might have been leaked to the client rather than being intercepted by the server-side Steelhead. 45 . UDP. • 159644 Fixed an issue that would cause fragmented packets other than TCP. Most FTP servers used the '|' character to delimit the port number.• 158480 Fixed an issue where some error conditions (e. The Steelhead optimization service was not using the Exchange MAPI service's IPv4 address of the EPM protocol correctly. • 158622 Before Outlook opened a MAPI connection to the Exchange server it used the EPM protocol to query for the TCP port of the Exchange MAPI service. With the bug fix applied the optimization service is correctly using the IPv4 address.html to fix CVE-2013-1775. DETAILS ------sudo 1.com/errata/RHSA-20131701.. or ICMP to be blocked when RSP was enabled. Cannot assign requested address) on the server-side Steelhead might have caused the connection states to get out of sync among the Connection Forwarding peers (with or without Interceptors.8. 5. This could be used to crash a Python application that used the socket. FIX --Applied security patch to Python for CVE-2014-1912. socket. This was because the system resources for some inpaths could have been released while other inpaths were still active. was introduced in Python 2. due to a boundary error within the sock_recvfrom_into() function. 46 . the panic could occur. The RiOS kernel has been patched to drop such packets. execute arbitrary code with the permissions of the user running vulnerable Python code.• 159832 CVE-2012-6638: Linux Kernel tcp_rcv_state_process SYN+FIN remote DoS DETAILS ------The tcp_rcv_state_process function Linux kernel allowed remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets FIX --SYN+FIN TCP packets were generally illegal and served no legitimate purpose. • 160543 Fixed a kernel panic issue that would happen when disabling Path Selection while traffic was running and got Path Selected. • 160464 Configuration options 'protocol mapi outlook-anywhr schannel enable' and 'protocol mapi outlook-anywhr multi-context enable' were interacting in a way that forced multi-context to be enabled anytime that schannel was enabled. This issue has now been resolved and multi-context support can be disabled if needed.recvfrom_info() function or.recvfrom_into(). which could be exploited to cause a buffer overflow. When a packet from an active inpath got steered to one that had been disabled. possibly. • 160011 CVE-2014-1912: Denial of Service vulnerability in Python sockets due to boundary check errors in sock_recvfrom_into DETAILS ------A vulnerability was reported in Python's socket module. This vulnerable function. • 161176 Netflow templates carried field IDs for RiOS specific fields in the range carved out for Riverbed.509 certificate verification which could result in a specially-crafted certificate being accepted as valid even when issued by any non trusted Certificate Authority. invalid cipher strings are disallowed. • 161478 Fixed an issue where the sched process would sometimes crash when deleting a job scheduled to execute in the future. • 160813 Fixed this bug by ensuring the Global DSCP setting does not overwrite the DSCP value set by the matched header base rule. This would only occur if sched. • 161148 When using web ssl cert generate key-size. 47 . This behavior was enabled by default when a Netflow v9 or CascadeFlow collector was configured. This could be used to perform man-in-the-middle attacks against applications using GnuTLS. • 161153 When using web ssl cipher.6 and hence not vulnerable to CVE-2014-0092. The behavior can be toggled using the CLI command. unusable key sizes which would have caused HTTPS access to the web server to fail are disallowed.• 160623 CVE-2014-0092: GnuTLS Certificate Validation Security Bypass Vulnerability DETAILS ------GnuTLS failed to properly handle certain errors in x. was restarted after creating the job. • 161682 Fixed an issue where a failed addon card could cause other addon cards to be not properly identified and used. 51000 and higher. or the entire appliance. '[no] ip flow-export destination <collector_ip> <collector_port> rvbd-field-ids enable'. FIX --No action needed as GNU TLS is not used in the currently supported RiOS software and was removed starting with RiOS 8. 0 to 8. if any. connections from Windows 8.0. DETAILS --The log_cookie function in mod_log_config module in the Apache HTTP Server allowed remote attackers to cause a denial of service via a crafted cookie that was not properly handled during truncation. RiOS releases affected by the issue: 7.1 or Windows 2012R2 clients from establishing SMB3 connections when connecting through Steelheads. are available in a tooltip or in the connection details. while SDR optimization on these connections is not affected.• 161816 Fixed an issue that prevented Windows 8.x connections is not affected.0 to 8. applications are sorted by their displayed name. • 161849 Made the following CLI command available that allows for the in-path interface MTU and LAN and WAN interface MTUs to be decoupled: 'interface mtuoverride enable. • 162094 On the Current Connections UI report.5.0 to Windows 2012+ servers and SMB 2. Only the last component is used for sorting.5.1 to Windows 2012+ servers are latencybypassed.' This capability is required if RiOS is unable to receive and process packets larger than the in-path interface MTU.6 8. Higher-level components of the application name.2b With this fix. • 161842 Modified certain error messages from the image fetch command to prevent information disclosure in logs.0.x 8. • 161987 CVE-2014-0098: Apache httpd mod_log_config crafted log cookie denial of service. 48 . including passthrough packets. • 161984 Fixed this bug by ensuring invalid site index is not accepted as input. Latency optimization of connections from Windows 8. FIX --Upgraded Apache httpd web server to fix security bug CVE-2014-0098.0. If user has configured collectors on the Steelhead. If this empty response is received during cached mode acceleration and skip-copy is not enabled. • 163509 Fixed a problem where the citrix optimization blade was causing high CPU usage. You may want to enable 'protocol mapi skip-copy enable' on client-side and server-side Steelhead. the following INFO message is logged instead: Accelerator was optimizing when empty response was received.c in the client in OpenSSH 6. • 163622 CVE-2014-2653: OpenSSH remote servers skipping SSHFP DNS RR checking. This issue can be identified by checking the netflow/interfaces file in the sysdump. netflow records are not sent to the configured collectors and Application Visibility reports are not created. For application Visibility to work. the same can be disabled and enabled. top talker reports may not display any data even though the feature is enabled.• 162506 After an upgrade or reboot. DETAILS ------The verify_host_key function in sshconnect. flow export can be disabled and enabled. even though enabled. Due to this high CPU usage. the watchdog timer would mark the thread as unhealthy and cause SIGABRT signal to be sent to the optimization service resulting in its termination. FIX --Applied patch for CVE-2014-2653 to OpenSSH 49 . which will indicate in this case that flow tracking is not switched on for any of the interfaces. For top talkers to work. The high CPU usage was due to logic in the Citrix blade where it was processing a long chain of data causing it to take a long time to complete. • 162741 The Steelhead no longer logs this warning for valid empty response PDUs. Also. the same can disabled and enabled.6 and earlier allowed remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. Filtering on the higher-level application component.• 163743 CVE-2014-0160: OpenSSL heartbeat extension sensitive information disclosure. • 163928 Path Selection may not be applied to WAN bound traffic if the next hop or default gateway for a Steelhead's in-path interface is on LAN side. DETAILS ------The TLS and DTLS implementations in OpenSSL 1.1g did not properly handle Heartbeat Extension packets. It is not possible to sort by the first component of the chain. can be used to find children of an application. automatic renewal fails with error Transaction not permitted or supported by the SCEP responder (eg. Default gateway or next hop must be on the WAN side of the Steelhead. the ESH version of curl adds a Content-Length header to the CONNECT request. some connections have multi-level application types such as HTTP > WebDAV > SharePoint. See http://heartbleed. Some proxy services will fail the CONNECT request with a 400 status.k.com/ for more details. • 164125 On the User Permissions screen of the UI. The memory leaks have been fixed. Only the last component is used for table display and sorting.1 before 1. then sorting. Use the Citrx Acceleration role to assign permissions for Citrix. ESH requests to the Cloud Portal will fail. rejected by CA operator. Keep email notification enabled to continue triggering SNMP traps. the Citrix Acceleration role is misspelled and appears at the bottom of the list under the Uncategorized heading. 50 . (a. • 158916 When using SCEP for peering certificates.0.0. • 162670 The Steelhead QoS functionality cannot classify Microsoft Lync 2013 traffic. • 161036 When connecting to the Cloud Portal through a proxy server. etc).0. FIX --Upgraded OpenSSL to 1. Configure the proxy server to allow requests with 'Content-Length' header.a. Heartbleed bug).1g to fix CVE-2014-0160 (Heartbleed Bug). • 162338 SNMP traps are triggered only when email notification is enabled. • 162479 On the Current Connections report. wrong passphrase. The next hop may be set by adding a static route in the in-path interface's routing table. which allowed remote attackers to obtain sensitive information from process memory via crafted packets that triggered a buffer over-read. 6) KNOWN ISSUES • 150102 Memory leaks may occur if non-SSL traffic flows over SSL ports. Netflow DPI.5.3 build date May 19.2 > 8. Instead. the zero value is not copied onto the optimized channel if QoS marking is disabled.x. • 193992 When Path Selection is enabled and the SteelHead is peered with an Interceptor. re-install the licenses.6.0 > 8.5. Example: 8.5. traffic is relayed if there are no Path Selection channels configured. 20 2013 8. instead of a downgrade.6. The current connections reports may show Path Selection is occurring for the relayed traffic. 2014 8. or Application Visibility. 2014 The following path would hit this bug: 8.• 164780 For customers who use Path Selection.6.5. the DSCP mark from the client is reflected in the server-to-client direction.0 > 8.6.5.6. 51 . and then the upgrade to 8. • 221376 When an IPMI alarm is raised.2 > 8.x release is installed/downgraded to. This scenario can be encountered when 8.. or re-install a pre-8.6.6 release that has a build date that is later than the 8.5.3 > 8. to recover the licenses and optimization.x partition.0 build date April 15.2 > 8.x release that is in the image history and dated prior to the target release. • 216828 For optimized flows in which traffic from the server is marked with DSCP 0.6 release that is dated later than the 8.2 > 8.2 > 8.6. From the previous example. e. "Power Unit #0xf2:AC lost Power Unit #0xf2:AC lost".0 (8.5. and that 8. One must downgrade to a pre-8.x image that is in the image history.3 > 8. Setting an explicit marking on the server or enabling QoS marking on the server-side SteelHead will prevent this issue.x release being installed. No workaround.3 > 8.6.x takes place.0 is a downgrade due to 8. • 173590 Downgrading the Steelhead to RiOS 8. SMB2 connections may be reported as CIFS on the Current Connections report.6.5.5. the web user interface may show the description twice. No workarounds exist.6. the Steelhead is running a pre-8.6.6. Avoid this scenario by ensuring that an upgrade.6.0).x from a pre-8.6.2 build date Dec.6. and 8.6. Quality of Service.g.5. the following path is successful: 8.0 being in the image history.6.0 In the loss-of-license condition.x release will cause a loss of license and optimization will fail to start.5.x is in the Steelhead's image history. revert to the pre-8.3 build date is later than 8. to 8.6. For Virtual Steelheads. If running Cloud Steelheads. If running Cloud Steelheads. Setting speed and autoneg to auto/auto on one side with other side hard set will bring linkup successfully.• 200364 Link failure has been observed on certain NICs with Intel Chipset i350 (Riverbed part number 410-00115-01) when autoneg is turned off or hard set to full or half when speed is set to 100 mbps or 10 mbps. 9) HARDWARE AND SOFTWARE DEPENDENCIES Please review the Steelhead Appliance Installation and Configuration Guide for information on hardware and software dependencies. please see the Riverbed Cloud Services User's Guide. please see the Riverbed Cloud Services User's Guide. 7) UPGRADING THE RIOS SOFTWARE VERSION Please review the Steelhead Appliance Installation and Configuration Guide for information on upgrading the RiOS software version on Steelhead appliances. please see the Virtual Steelhead Appliance Installation Guide. For Virtual Steelheads. please see the Virtual Steelhead Appliance Installation Guide. 52 . 8) CMC COMPATIBILITY Please review the Steelhead Appliance Installation and Configuration Guide for information on CMC compatibility. Another workaround is to hard set speed and leave the auto-neg to Auto instead of hard setting to full or half. Outside the U.10) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation. All rights reserved. ©2014 Riverbed Technology. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. choose one of the options below. dial +1 415 247 7381. All other trademarks used herein belong to their respective owners. To open a support case. browse our library of Knowledge Base articles and manage your account. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.S.com. Online You can also submit a support case online Email Send email to support@riverbed. Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). A member of the support team will reply as quickly as possible. 53 .
Copyright © 2024 DOKUMEN.SITE Inc.