3 Replies Latest reply on Aug 17, 2016 5:15 AM by phoffmann

    CSA Update Patch 178

    carlos Expert

      Today i got this message on my CSA:

       

      GSB431_178CSA accumulative patch 178

      Patch 178 contains the following fixes: 1. 327834: The CSA still shows up as vulnerable to CVE-2016-2107 (Qualys SSL Labs). Patch replaced the shared OpenSSL library but did not replace a statically linked copy. 2. 322168: The blocked client certificates list shows an incorrect created column. The fix will insert the current time when a cert is added to the list. 3. 329849: Protect the PHP scripts against HTTPoxy (sic) attacks CVE-2016-5385 by intercepting Proxy HTTP header properties. 4. 209318: Third-party certificates do not work in FIPS 140-2 mode and cause the CSA to become inoperable. After applying patch 178, third-party certificates need to be reinstalled before switching to FIPS mode. Do not reverse that order!  

       

      What is it that we suppose to do?

       

      Regards.

        • 1. Re: CSA Update Patch 178
          nrasmussen SupportEmployee

          If you are asking how to patch the appliance you can review this doc for those details: How To: Download and Patch the 4.3 Cloud Service Appliance Manually

           

          Thanks,

          Nick R

          • 2. Re: CSA Update Patch 178
            carlos Expert

            There is an apply link in the CSA, that I didn't see before, that's how it always has been I just missed it.

             

            Does anyone know what this refers to?

            "...After applying patch 178, third-party certificates need to be reinstalled before switching to FIPS mode. Do not reverse that order!"

             

            I have a third party certificate (godaddy) my CSA is configured as follows:

            222.PNG

            I assume that 0 = false which means I'm not using FIPS mode, and therefore applying this patch will not break my cert or connections?

            • 3. Re: CSA Update Patch 178
              phoffmann SupportEmployee

              That would be correct.

               

              If you were to run FIPS, you'd know about it, as it tends to cause all sorts of "special sauce" treatments all over the place. It's a good boost to security, but it's a massive ache in some other regards.

               

              So it's an informational message - as those folks who do use FIPS, reallly, REALLY need to be careful with keeping the order of things correct.