SH CX 9.1.5d

Download as pdf or txt
Download as pdf or txt
You are on page 1of 68

RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX
RELEASE DATE: 06-OCTOBER-2017
RIOS VERSION: 9.1.5D

CONTENTS

1) Supported SteelHead Models


2) New Features in RiOS 9.1.0
3) Fixed Problems
4) Known Issues
5) Upgrading the RiOS Software version
6) SteelCentral Controller for SteelHead (SCC) Compatibility
7) Hardware and Software dependencies
8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS


Important: RiOS 9.1.5d supports Riverbed CX models xx50, xx55, and xx70.

2) New Features in RiOS 9.1.0


Web Proxy
A single-ended Web proxy transparently intercepts all traffic bound to the Internet. The
Web proxy improves performance by providing optimization services such as Web object
caching and SSL decryption to enable content caching and logging services.

The efficient caching algorithm provides a significant advantage for video traffic. The benefit
comes in the form of multiple users viewing the same video content, thereby saving
significant WAN bandwidth and providing efficient network use. YouTube caching is handled
as a special case given its growing popularity in the enterprise.

Enhanced Live Video Stream Splitting


RiOS improves video handling with the following enhancements:
 The stream splitting cache holds more video fragments for a longer period of time to
account for clients that could be out of sync or slower to play back.
 A new report plots the cache hit count over time for a particular live video indicating
the amount of video requests that were served locally from the cache instead of
being fetched over the WAN. The graph also includes a plot for the number of total
live video sessions intercepted.
 The ability to enable video stream splitting on a per-host basis. The ability to
selectively enable stream splitting on a particular host ensures that the cache does
not fill up with recreational content.

MAPI over HTTP Support


RiOS now automatically detects and enables bandwidth optimization for the MAPI over HTTP
transport protocol. Microsoft implements the MAPI over HTTP transport protocol in Outlook
2010 update, Outlook 2013 SP1, and Exchange Server 2013 SP1.

For details on MAPI over HTTP support with Outlook 2010, see
https://support.microsoft.com/enus/kb/2878264.

Path Selection with Interceptor


New path selection functionality allows SteelHead appliances to operate with SteelHead
Interceptor appliances in cluster deployments, providing high-scale and high-availability
deployment options. A SteelHead Interceptor cluster is one or more SteelHead Interceptors
collaborating with one or more SteelHeads to select paths dynamically in complex
architectures, working together as a unified system. Path selection dynamically assigns
applications and traffic types (optimized and nonoptimized TCPv4 and UDPv4 traffic) to
specific network paths based on intelligent user policies.

Autonegotiate Multi-stream ICA


A new configuration option enables Citrix Multi-stream without the need to configure it on
the Citrix server. This feature provides application class hints to QoS for the four priority
connections when Citrix Multi-stream is negotiated. The application class hints allow
configuration of true network-based QoS policies to the individual priority groups for the
virtual channel traffic that they carry. This feature also provides the ability to apply path
selection to the individual Citrix priority groups.

Autonegotiate Multi-stream ICA provides support for non-Common Gateway Protocol (non-
CGP) (plain ICA) connections with XenApp 6.5 and Citrix receiver for Windows 3.0 or later.

2
Link Aggregation Compatibility
SteelHeads are now compatible with link aggregation protocols, such as EtherChannel, for
in-path deployments to allow use of multiple links in parallel through a SteelHead. Link
aggregation compatibility allows easier integration into networks with preexisting link
aggregation in place. Using multiple links in parallel maximizes throughput and provides
higher physical redundancy.

DSCP Marking for Out-of-Band (OOB) Control Channel Traffic


An OOB connection is a TCP connection that SteelHeads establish with each other when they
begin optimizing traffic. The SteelHeads use the OOB connection to exchange capabilities
and feature information such as licensing, hostname, RiOS version, and so on. The
SteelHeads also use control channel information to detect failures. You can now mark OOB
connections with a DSCP or ToS IP value to prioritize or classify the Riverbed control channel
traffic, preventing dropped packets in a lossy or congested network to guarantee control
packets will get through and not be subject to unexpected tear down.

In-Path Controller Support for Secure Transport


The secure transport client can now use all available interfaces to connect to the secure
transport controller and establish a secure control channel. By default, the client connects
to the controller using the management interface. You can now enable another interface or
select a specific interface using the Riverbed CLI command stp-client controller in-path
enable.

Expanded Application Support for the Application File Engine (AFE)


The AFE was updated with significant additions to the number of popular applications it
recognizes. SteelHeads can now identify more than 1,400 unique applications.

Performance and Scale Improvements to QoS and Path Selection


The improvements include:
 Increased configuration responsiveness and scale, allowing more site definitions on
higher-end SteelHead models. This increase effectively provides unlimited rule
configuration with scalable matching.
 QoS and path selection can now handle many more optimized connections per
second without classification errors.

3
SteelHead SaaS Improvements
This release introduces a new SteelHead Universal SaaS licensing that enables customers to
optimize any number of supported SaaS applications on the same license. Riverbed will
continually add support for new SaaS to the Riverbed Cloud Portal, and any registered
SteelHead running version 9.1.0 will be able to avail of optimization to that SaaS.

3) FIXED PROBLEMS
Problems fixed in version 9.1.5d
 203889 Fixed an issue for the following cases where the filename length is incorrect:
- SetInfo request.
- Notify Response.
- class FILE_ALL_INFO in GetInfo response.

The SteelHead identifies the invalid filename length and blacklists the connection in
all cases listed above.

Problems fixed in version 9.1.5c


 242144 Upgrade Apache to 2.4.16 for CVE-2015-3183 and CVE-2015-3185

Details:
CVE-2015-3183: An HTTP request smuggling attack was possible due to a bug in
parsing of chunked requests. A malicious client could force the server to
misinterpret the request length, allowing cache poisoning or credential hijacking if
an intermediary proxy is in use.

CVE-2015-3185: A design error in the "ap_some_auth_required" function renders


the API unusable in httpd 2.4.x. In particular, the API is documented to answering if
the request required authentication but only answers if there are Require lines in
the applicable configuration. Since 2.4.x Require lines are used for authorization as
well and can appear in configurations even when no authentication is required and
the request is entirely unrestricted. This could lead to modules using this API to
allow access when they should otherwise not do so. API users should use the new
ap_some_authn_required API added in 2.4.16 instead.

Fix:
Upgraded Apache httpd to 2.4.16 to fix CVE-2015-3183 and CVE-2015-3185.

Recommendation:
Upgrade to a software version with the fix.

4
 247279 Fixed an issue where HTTP 1.1 web apps using chunked transfer-encoding
were sending very large numbers of small chunks, which can cause high CPU
utilization. In extreme cases, the high CPU condition caused by long chains of small
chunks can cause a watchdog timeout, stack trace, and pause optimization. With
this fix, the Outlook Anywhere services combine the small chunks into one larger
chunk.
 253126 Fixed an issue where optimization reports could show unusually high values
that didn't match the actual traffic.
 261671 Fixed an issue that caused rsyslog to fail to start due to files existing in
/dev/log. On start of rsyslog, /dev/log is checked for files; if any files are found, they
are removed before starting it.
 265020 Fixed an issue where type conversion during sysdump generation would
cause the sysdump to hang indefinitely.
 286490 Appliance reload operations are improved, to increase boot-up resiliency, on
the CX 5070, CX 7070, and SteelFusion Core 3500. The improvements are applicable
when invoking reload through CLI, UI, or SCC, and when invoked on a release that
contains the improvement.
 286625 Apache httpd less than 2.4.27 has vulnerabilities CVE-2017-9788 and CVE-
2017-9789.

Details:
CVE-2017-9789: When under stress, closing many connections, the HTTP/2 handling
code in Apache httpd 2.4.26 would sometimes access memory after it has been
freed, resulting in potentially erratic behaviour.

CVE-2017-9788: The value placeholder in [Proxy-]Authorization headers of type


'Digest' was not initialized or reset before or between successive key=value
assignments. by mod_auth_digest.

Providing an initial key with no '=' assignment could reflect the stale value of
uninitialized pool memory used by the prior request, leading to leakage of
potentially confidential information, and a segfault.

Fix:
Upgraded to Apache httpd 2.4.27.

Recommendation:
Upgrade to a software version with the fix.

5
Problems fixed in version 9.1.5b
 280837 Fixed an issue where read aheads couldn't provide data to a disabled data
manager by stopping read aheads from being triggered when the data manager is
disabled.
 282714 Enhancement: Added CLI command "reset factory preserve-licenses" to
preserve licenses when issuing a factory reset.

Problems fixed in version 9.1.5a


 272077 Fixed an issue where the SCC could fail to push policy configuration changes
in the QoS, path selection, and secure transport functional areas due to a DPI
versioning mismatch. This bug affects RiOS 9.1.5, 9.2.1a.
Error messages such as the following could be seen after an unsuccessful policy
push:
[config.ERROR] Appliance has DPI version 1.2 which is not supported by SCC

Problems fixed in version 9.1.5


 157369 Fixed an issue where SteelHead optimization might be disrupted when a
MAC OSX server responds with a lease request when a lease is not requested.
 195298 Fixed an issue that caused a steelhead crash when duplicate File ID's (fid)
are returned by the server for different open/create requests.
 236123 Fixed an issue where opening the Connections Report page can
sometimes lead to the crash of the management process if the QoS feature is
enabled on the SteelHead.
 240730 Fixed a problem by correctly honoring the metadata cache timeout, even
for timeout values less than 1000 ms. With this fix, the cache timeout can be set to
an appropriate value to suit a specific scenario. A timeout of 0 ms would stop CFE
from answering the GetInfo requests locally and forward them to the server.
 248778 A race condition in the tty driver causes a kernel panic, leading to an
unexpected reboot of the system. Fix possible race condition in the tty driver.
 249764 Fixed an issue where self-signed SSL certificates were using RSA-SHA1
instead of RSA-SHA512 with a key size of 2048 bits or higher. Support for SHA1
certificates is being deprecated by web browsers, which eventually leads to them
not accepting RSA-SHA1 certificates.
 252525 Fixed locking for the RPC_IN_DATA and RPC_OUT_DATA virtual
connection registry to prevent a condition that would lead RiOS to crash with
Outlook Anywhere enabled.

6
 254499 CVE-2016-1285 and CVE-2016-1286 [BIND]: The BIND nameserver, used
for the caching DNS feature, has vulnerabilities that can lead to a denial of service.

Details:
The BIND nameserver, used for the caching DNS feature, has the vulnerabilities CVE-
2016-1285 and CVE-2016-1286, which can lead to denial of service.

Fix:
Upgraded the BIND nameserver to 9.9.8-P4 to fix these vulnerabilities.

Recommendation:
Upgrade to a software version with this fix. This vulnerability does not apply if the
caching DNS server is not used.
 254549 Pass-through traffic does not reflect DSCP marking from QoS rule If the
SteelHead has a QoS rule configured with a specific DSCP marking, and also has path
selection enabled for the same pass-through traffic with DSCP marking as reflect,
the packets are not DSCP marked. There is no workaround.
 255015 Fixed a problem where the SteelHead did not release all of the memory it
had allocated when processing HTTP responses with more than 255 HTTP headers.
This fix prevents unnecessary memory admission control.
An in-path rule can be added to bypass traffic to an HTTP server that generates
excessive HTTP headers.
 256887 Fixed an issue where VLAN tagged packets from different connections were
always hashed into a single Shared Fair Queueing (SFQ) slot, which would lead to
excessive packet drops. This behavior occurred because the IP tuple was not
extracted correctly for VLAN tagged packets.
With this fix, the IP tuple is extracted correctly for VLAN tagged packets.
 257093 CVE-2016-1979 and CVE-2016-1978 nss: Use-after-free during processing of
DER-encoded keys and during SSL connections in low memory

Details:
CVE-2016-1978, CVE-2016-1979: Use-after-free vulnerabilities in NSS libraries when
processing DER-encoded keys. This library is not used by Riverbed optimization or
management software, but is used by base operating system software.

Fix:
Upgraded NSS and NSPR to a version with the fix.

Recommendation:
Upgrade to a software version with the fixed NSS and NSPR.

7
 257863 After the system is shut down or its shared port is administratively brought
down, the BMC is not accessible through the network preventing the user to turn on
or manage the system on remotely. Do not bring the shared port down to allow for
management traffic pass-through.
 258526 Fixed an issue where a syntax error, or some other formatting error, in the
Kerberos configuration file /etc/krb5/krb5.conf can cause SteelHead to crash. With
this fix, syntax or formatting errors are processed without causing a crash.
 259342 Fixed an issue by updating SSL code to more aggressively discard obsolete
cached session information, which could lead to memory admission control or an
optimization service crash.
 259435 Fixed an issue where Office365 connections were mis-classified as Skype-
Auth in the current connections table. The DPI library was updated to address this
issue.
 260802 Fixed an issue that caused the "show running-config" command to fail when
the system configuration contains Unicode characters. The system was not properly
parsing Unicode, causing the command to abort before printing the system
configuration.
 261021 expat vulnerability CVE-2016-0718 with crafted XML.

Details:
CVE-2016-0718: expat has a vulnerability that crafted XML could cause a crash or
code execution.

Fix:
Upgrades expat to a version with the fix for this vulnerability.

Recommendation:
Upgrade to a software version with this fix.
 266502 Fixed a concurrency issue that caused the optimization service to crash
when more than one thread concurrently accessed a map to dump MAPI diagnostic
information. This happens when multiple threads encounter MAPI optimization
failure and attempt concurrent access to the map. The map is protected by a lock
that will avoid this crash.
 267620 Fixed an issue where a A MIB syntax error caused the SNMP tool (Net-
SNMP) to fail when parsing the file. The fix realigns the description in MIB files with
the correct syntax.
 269556 Fixed an issue where the optimization service could crash when an array in
the data store had an invalid value at a particular valid offset.

8
 269724 CVE-2016-2776: Caching DNS server, if enabled, is vulnerable to a denial-of-
service attack.

Details:
Caching DNS server, if enabled (not enabled by default), is vulnerable to a denial-of-
service attack CVE-2016-2776.

Fix:
Upgraded BIND to 9.9.9-P3.

Recommendation:
Upgrade to a software version with the fix.
 270018 Power supply alarm indicated, then cleared a minute later. On rare
occasions, spurious power supply status may be read. These were interpreted as
indications of a failure, and resulted in alarms. Usually the next reading (a minute
later) was valid, and the alarm was then cleared. To cope with these spurious
indications, we now require 5 sequential, identical bad status readings before an
alarm is raised.
 270444 CVE-2016-5195: Linux kernel copy-on-write (COW) results in local privilege
escalation.

Details:
CVE-2016-5195 ("dirty COW"): A race condition was found in the way the Linux
kernel's memory subsystem handled the copy-on-write (COW) breakage of private
read-only memory mappings. An unprivileged local user could use this flaw to gain
write access to otherwise read-only memory mappings and thus increase their
privileges on the system.

This flaw could be abused by an attacker to modify existing setuid files with
instructions to elevate privileges. An exploit using this technique has been found in
the wild.

Fix:
Applied patch to fix this vulnerability.

Recommendation:
Upgrade to a software version with this fix.

9
 270610 CVE-2016-5364, CVE-2015-5366: Linux kernel UDP denial of service
vulnerabilities.

Details:
CVE-2016-5364: The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux
kernel before 4.0.6 do not properly consider yielding a processor, which allows
remote attackers to cause a denial of service (system hang) via incorrect checksums
within a UDP packet flood.

CVE-2015-5366: The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux
kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows
remote attackers to cause a denial of service (EPOLLET epoll application read
outage) via an incorrect checksum in a UDP packet, a different vulnerability than
CVE-2015-5364.

Fix:
Applied patches for the above vulnerabilities.

Recommendation:
Upgrade to a software version with this fix.
 270698 Enhancement: SteelHead DPI library updated. Enhancement: Updated the
SteelHead DPI library to add support for identifying new applications. This
enhancement improves system performance, memory tracking, and API debugging.
 271325 curl .47.1 has various vulnerabilities as described at
https://curl.haxx.se/docs/security.html.

Details:
curl 7.47.1 has various vulnerabilities as described at
https://curl.haxx.se/docs/security.html

Fix:
Upgraded curl to 7.51.0.

Recommendation:
Upgrade to a software version with this fix.

10
 271337 CVE-2016-8864: Caching DNS server, if enabled (not enabled by default), is
vulnerable to denial of service attack.

Details:
Caching DNS server, if enabled (not enabled by default), is vulnerable to denial of
service attack CVE-2016-8864.

Fix:
Upgraded BIND to 9.9.9-P4 to fix CVE-2016-8864.

Recommendation:
Upgrade to a software version with the fix.
 272633 Fixed an issue where GeoDNS for SteelHead SaaS Office 365 optimization
can cause a kernel crash due to a race condition.
 272721 Fixed an issue and addressed memory leaks in QoS and Appstats features
when they use a deep packet inspection library.
 272744 CVE-2016-6313: A design flaw was found in the libgcrypt PRNG (Pseudo-
Random Number Generator). An attacker able to obtain the first 580 bytes of the
PRNG output can predict the following 20 bytes.

Details:
CVE-2016-6313: A design flaw was found in the libgcrypt PRNG (Pseudo-Random
Number Generator). An attacker able to obtain the first 580 bytes of the PRNG
output can predict the following 20 bytes.

Fix:
Upgraded the libgcrypt package to fix this vulnerability.

Recommendation:
Upgrade to a software version with the fix.
 273259 Fixed an issue where the server-side session reuse fails when the original
session was terminated before negotiation completed. The result is logged as
"error:140750DD:SSL routines:ssl23_connect:ssl23 doing session id reuse" if the
session is subsequently selected for reuse.
This fix adds checks to ensure only fully negotiated SSL sessions are allowed for
session reuse.

11
 273275 CVE-2016-7431: ntpd has a remote denial of service vulnerability. CVE-
2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7433, CVE-
2016-7434, CVE-2016-9310, CVE-2016-9312 are not applicable or are a low security
risk.

Details:
ntpd has security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8
p9_NTP_Se.

CVE-2016-7431, a remote denial of service vulnerability, is a medium security risk


and applicable.

CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7433,


CVE-2016-7434, CVE-2016-9310, CVE-2016-9312 are not applicable or are a low
security risk.

Fix:
Upgraded ntpd to 4.2.8p9 to fix these vulnerabilities.

Recommendation:
Upgrade to a software version with the fix.
 274237 Fixed an issue where the optimization service crashes when importing a
certificate that uses an ECDSA type key. A mgmt WARNING message accompanied
the crash stating "unknown public key type".
This fix makes updates that allow the use of certificates with ECDSA keys.
 276808 CVE-2016-6321: GNU tar 1.14 to 1.29 is vulnerable to crafted tar archives
with .. in the path. This can affect the appliance if an attacker convinces an
administrator to upload a false crafted image file and attempts to install it.

Details:
CVE-2016-6321: GNU tar 1.14 to 1.29 is vulnerable to crafted tar archives with .. in
the path. This can affect the appliance if an attacker convinces an administrator to
upload a false crafted image file and attempts to install it.

Fix:
Applied patch to GNU tar to fix this vulnerability.

Recommendation:
Upgrade to a software version with this fix.

12
 276940 OpenSSL 1.0.2j vulnerabilities described in
https://www.openssl.org/news/cl102.txt; upgrade to 1.0.2k needed.

Details:
OpenSSL has vulnerabilities as described at
https://www.openssl.org/news/cl102.txt:
CVE-2017-3731: Truncated packet could crash via OOB read (32-bit systems only).
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64.
CVE-2016-7055: Montgomery multiplication may produce incorrect results.

Fix:
Upgraded OpenSSL to 1.0.2k.

Recommendation:
Upgrade to a software version with the fix.
 276957 CVE-2017-3731, CVE-2017-3732, CVE-2016-7055: OpenSSL 1.0.2j has
vulnerabilities as described in https://www.openssl.org/news/cl102.txt.

Details:
OpenSSL has vulnerabilities as described at
https://www.openssl.org/news/cl102.txt:
CVE-2017-3731: Truncated packet could crash via OOB read (32-bit systems only).
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64.
CVE-2016-7055: Montgomery multiplication may produce incorrect results.

Fix:
Upgraded OpenSSL to 1.0.2k.

Recommendation:
Upgrade to a software version with the fix.

Problems fixed in version 9.1.4a


 260458 Fixed an issue in SMB2 serialization logic. When a setinfo request was sent
on a child directory/file and a find request was sent on the parent of it with the
search pattern the name of the child, the setinfo had to be processed first. This flaw
in the serialization logic could cause RiOS to fail.

Problems fixed in version 9.1.4


 162024 Fixed an issue where error messages occur in the log when viewing bypass
table entries for servers with a domain name longer than 64 characters. The
optimization service is unaffected, however this condition could lead to an
unresponsive CLI. With this fix, bypass table descriptions are still truncated. However,

13
the error message has been resolved and no longer leads to an unresponsive CLI.
 193466 Fixed an issue that triggered a high CPU alarm and could cause a possible link
drop during a SteelCentral Controller (SCC) policy push. Fix improves efficiency of the
code that is responsible for configuring certificate updates on the SteelHead.
 229753 Fixed an issue wherein the file transfers from servers to the OSX 10.9 clients
are slow. A new hidden CLI command on the client-side SteelHead has been added
for faster file transfers to OSX 10.9 clients. To enable SMB2 optimization on the OSX
10.9 clients, use the following CLI command:
protocol smb2 mac-oplock enable
To disable this feature, use the no version of the command:
no protocol smb2 mac-oplock enable
 242318 Fixed an issue where "image fetch" times out after 5 minutes for scp:// URLs.
This behavior could occur if the link that image was transferred over was slow,
resulting in the file transfer taking more than 5 minutes. The timeout handler has
been updated to monitor transfer progress, instead of closing the connection if a
transfer cannot complete under 5 minutes.
 242958 Fixed an issue that caused optimization service disruption due to timing of
events when a client tried to open a file for which the client SteelHead already has an
open file-open-instance. This fix caches the next iterators when a C++ container gets
modified.
 243000 Fixed an issue where the Outlook Anywhere optimization service was
incorrectly intercepting non-MAPI traffic. This issue was fixed by changing the
behavior of HTTP parsing to allow for case-insensitive searching of the HTTP header
for the content length field.
 248683 Fixed an issue in parsing HTTP packets within the SteelFlow WTL blade so
that it does not keep buffering data after encountering a NULL byte.
This issue may be accompanied by logs similar to "[pm.ERR]: Output from sport:
src/central_freelist.cc:480] tcmalloc: allocation failed 24576 ( 6 pages) for sizeclass 57
upto 4352". Issue may also result in Admission Control alerts and optimization
service process crashes.
 250024 Fixed an issue with optimization service failure by handling uncaught
exception thrown by the SMB2 connection handling code.
 250710 Fixed an issue where optimization service crashes if a thread tries to allocate
a local structure larger than the stack size and fails. The solution is to allocate the
local structure on the thread’s stack up to a certain threshold size only. Otherwise,
allocate the structure from Heap.
 250834 Fixed an issue where memory leaks may occur if non-SSL traffic flows over
SSL ports.
 251349 Fixed a problem where an optimization service crash occurred during
shutdown due to a lock synchronization failure. Improved the dynamic configuration
locking mechanism to prevent problems during shutdown or the shutdown phase of
service restart
 251474 Fixed a timing issue that was caused by not protecting a data structure with a

14
lock in the IOCTL workflow. This fix ensures the data structure is protected by the
lock when SteelHead reaches the unsafe SMB2 IOCTL workflow.
 253563 Fixed an issue with client authentication where connections to a server might
be put into bypass mode when TLSv1.2 support is enabled, but server negotiates
TLSv1 or SSLv3. A code change was made to explicitly assure that for client
authentication the SteelHead must negotiate the same protocol version as the client
and server.
 254647 Fixed an issue where the optimization service to parse Citrix ICA frames when
Auto-Negotiate Multi-Stream ICA is enabled on the client SteelHead and Citrix
latency optimizations (Client Drive Mapping, Small packets) are disabled. The fix will
enable the capability in the optimization service to find the connection priority of the
4 Multi-Stream ICA connections and classify them for QoS. Without the bug fix, the 4
Multi-Stream ICA connections will not be classified for QoS when Citrix latency
optimizations are disabled.
 255865 The "sport listen-backlog" CLI command is used to increase the SYN packet
backlog for the SteelHead inner connection socket. This patch addresses the issue
with an incomplete implementation of this feature.
 256997 Fixed an issue where, in rare cases, the SteelHead does not handle
authentication context data correctly and the connection is dropped with a message
in the client's logs: "When retrieving the auth context, unexpectedly did not receive a
pulled up buffer." This fix corrects handling of the data related to the authentication
context so the connection is not dropped.
 257344 Fixed an issue where non-HTTP connections that are handled by an
optimization policy of Exchange Autodetect may leak memory. Over time this
memory leak could cause the SteelHead to crash.
 257361 Fixed an issue that caused "/var/tmp" on the SteelHead to fill up with
"tmpXXXXXX" files, which resulted in disk full errors. When configuration backups
from the SteelHead to the SCC failed, the temporary files in "/var/tmp" were not
cleaned up. Over time this led to "/var" becoming full, and disk full errors were
printed in the logs.
 257723 Fixed an issue where the MAPI optimization services for RPC over TCP and
Outlook Anywhere could sometimes encrypt packets with the incorrect
authentication context information. The MAPI optimization services now ensure that
the correct authorization context is used when encrypting packets.
 258838 Fixed an issue where the local time for Venezuela is a half hour off. This is
due to Venezuela changing from UTC-4.5 to UTC-4 on 2016/05/01. Upgraded tzdata
from 2015a to 2016d, which includes updated information for Venezuela.
 259112 Fixed an issue where the handling of HTTP transactions by the Outlook
Anywhere optimization service could lead to an excessive amount of logging. In some
rare cases, it could lead to mishandled data if the HTTP request used the "Expect:
100-continue" header. The Outlook Anywhere optimization server now correctly
bypasses HTTP connections whenever it sees a request containing the "Expect: 100-

15
continue" header.
 261181 ntp vulnerabilities described at
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NT
P_Securi

Details:
ntp vulnerabilities described at
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NT
P_Securi
1. Sec 3046 / CVE-2016-4957 / VU#321640: Crypto-NAK crash
2. Sec 3045 / CVE-2016-4953 / VU#321640: Bad authentication demobilizes
ephemeral associations
3. Sec 3044 / CVE-2016-4954 / VU#321640: Processing spoofed server packets
4. Sec 3043 / CVE-2016-4955 / VU#321640: Autokey association reset
5. Sec 3042 / CVE-2016-4956 / VU#321640: Broadcast interleave

Fix:
Upgraded ntp to 4.2.8p8 to include fixes for these vulnerabilities.

Recommendation:
Upgrade to a version of the software with the fix.
 261532 Fixed an issue that caused Office 365 SharePoint connections to fail when
optimized through SteelHead SaaS. This fix prevents SharePoint traffic from
incorrectly presenting an Office 365 Exchange service certificate, causing failed
connections. The SteelHead SaaS service now identifies SharePoint service correctly
and ensures that the right certificate is used for the connection.
 261591 Fixed an issue where the Outlook Anywhere optimization service would
buffer chunk-encoded HTTP data that was unrelated to Outlook Anywhere. If these
HTTP chunks were large enough, it could cause memory problems on the SteelHead.
The Outlook Anywhere optimization service no longer buffers non-Outlook Anywhere
chunk-encoded data.
 262810 August 10, 2016, Riverbed security advisory for SteelHead and SteelFusion
Edge for NetShark feature

Details:
The SteelCentral NetShark feature on the SteelHead CX, SteelHead EX, and
SteelFusion Edge appliances is using an outdated version of OpenSSL (0.9.8k), which
includes several known security vulnerabilities.

Fix:
NetShark functionality will no longer be visible as a configurable option.

Workaround:

16
Customers with NetShark enabled in RiOS, including the deprecated versions, should
disable this feature. For more details see the following Knowledge Base article:
https://supportkb.riverbed.com/support/index?page=content&id=S28669
 263535 Fixed an issue with the DNS cache statistics for hits and misses being
reported incorrectly as zero (0) after upgrading the SteelHead appliance to release
9.2.0. This issue is limited to the hits and misses statistics only. This issue does not
affect the statistics shown in the DNS caching and cache utilization report.
 264708 Fixed an issue that caused SCC backups of SteelHeads to fail after first
upgrading from 9.1.3 to 9.1.3a. The SCC session initially uses login authentication
tokens generated in 9.1.3 that include an expiration. When the token expires, it
causes SCC backups to fail. This issue only impacts systems that previously loaded
9.1.3 and can occur up to 7 days after upgrade to 9.1.3a.
 265375 OpenSSH before 7.3 has the following vulnerabilities, described in
http://www.openssh.com/txt/release-7.3 : CVE-2016-6515, CVE-2016-6210, CVE-
2015-8325.

Details:
OpenSSH before 7.3 has the following vulnerabilities, described in
http://www.openssh.com/txt/release-7.3 :
CVE-2016-6515: sshd(8): Mitigate a potential denial-of-service attack against the
system's crypt(3) function via sshd(8). An attacker could send very long passwords
that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024 characters.
Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
CVE-2016-6210: sshd(8): Mitigate timing differences in password authentication that
could be used to discern valid from invalid account names when long passwords were
sent and particular password hashing algorithms are in use on the server. Reported
by EddieEzra.Harari at verint.com
CVE-2015-8325: sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified environment variables and
UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via
LD_PRELOAD or similar environment variables set via PAM. Found by Shayan Sadigh.

Fix:
Upgraded to OpenSSH 7.3p1 to fix these vulnerabilities.

Recommendation:
Upgrade to a version of the software with the fix.
The OpenSSH project has announced that the following features are deprecated for
security reasons and will be completely removed in a near future release:
* RSA keys smaller than 1024 bits.
* SSH version 1 protocol.
Customers should ensure that all SSH clients and servers use the SSH version 2

17
protocol, for which SSH software has been available since 2006. SteelHead
appliances default to using only the SSH version 2 protocol and will only allow the
SSH version 1 protocol if "no ssh server v2-only" is used. This command will be
removed in the future when SSH version 1 protocol support is removed from
OpenSSH.
 268231 OpenSSL vulnerabilities described in
https://www.openssl.org/news/secadv/20160922.txt. Note that CVE-2016-6304 is a
high DoS, CVE-2016-6305 is a moderate DoS, and the others, including CVE-2016-
2183 SWEET32 are low.

Details:
OpenSSL prior to 1.0.2i and 1.0.1u has vulnerabilities described in
https://www.openssl.org/news/secadv/20160922.txt. Note that CVE-2016-6304 is a
high DoS, CVE-2016-6305 is a moderate DoS, and the others, including CVE-2016-
2183 SWEET32 are low. OpenSSL 1.0.2i has vulnerability CVE-2016-7052, a moderate
DoS.

Fix:
OpenSSL has been upgraded to 1.0.2j or 1.0.1u.
Note that, for the CVE-2016-2183 SWEET32 vulnerability, the vulnerable ciphers are
moved from the HIGH to the MEDIUM category. This means that they will be
disabled by default in the web server with the current cipher string "HIGH:-aNULL:-
kKRB5:-MD5". However, if the cipher string has been changed to include MEDIUM or
3DES, this vulnerability will still be present.

Recommendation:
Upgrade to a software version with the fix.
If MEDIUM or 3DES has been added to the web server cipher string, set a new cipher
string without it with "web ssl cipher" to disable the ciphers vulnerable to the CVE-
2016-2183 SWEET32 vulnerability.
 268381 Fixed an issue that prevented the WebUI from supporting TLSv1.2
connections when the appliance is running in FIPS mode.
 269380 Fixed an issue where time zone data on our devices do not account for two
recent time zone changes: Turkey adopting permanent +3 summer time, and a leap
second on 2016-12-31 23:59:60 UTC.
With this fix, the time zone data is upgraded to 2016g to account for recent time
zone change for Turkey and to include a leap second on 2016-12-31 23:59:60 UTC.

Problems fixed in version 9.1.3a


 253661 Fixed an issue to prevent corrupting the server-side optimization service
data store page when SMB2 connection blacklisting is done. This fix applies only to
when the client negotiates SMB3.11 dialect.

18
 254285 Fixed an issue where hundreds of logins would cause the web daemon to
use up too many file descriptors, causing the management backend to become
unresponsive.
 258395 Remediation involved changes in four areas: 1) Increasing the time allowed
for the certificate transfer, 2) Cleaning up data structures in the event of a transfer
failure, 3) Moving intermittent files involved with the transfer to a scalable partition,
and 4) Adjusting the size of the partition involved.
 258522 Fixed an issue with GeoDNS for SteelHead SaaS Office 365 optimization
causing high CPU overhead. This could happen when clients are using a different
DNS server than those configured on the SteelHead appliance or when a large
number of clients are being GeoDNS optimized and cleanup of the GeoDNS entries
are very frequent.
 259280 Fixed an issue where the browser-based online help link on the Help page
does not work. Online help can still be accessed via a help icon (the question mark)
on any configuration page. This issue affects only RiOS 9.1.x releases starting at
9.1.2.
 260911 Enhanced checks on the client SteelHead to gracefully bypass traffic when
the client SteelHead does not support ciphers negotiated by the server side
Steelhead
 261870 Fixed an issue in releases 9.1.3 and 9.2.0 that caused SCC backups of
SteelHeads to fail after a week. The login authentication token the SCC uses when
connecting to the SteelHead for backup operations expired, causing backups to fail.

Problems fixed in version 9.1.3


 145734 Fixed an issue so that the sport.log files are written to after performing a log
rotation. Also ensures the currently active sport.log file and all archived sport.log
files are included in the archive on a full sysdump generation.
 167022 Fixed an issue in the SNMP service that caused the IF-MIB::ifHCInUcastPkts.*
counters when read through SNMP, to give large incorrect values that appear to
decrement instead of increment when packets go through the associated interfaces.
 219716 Fixed an issue where an incomplete cleanup in one of the optimization
process components could cause the optimization service to fail during restart with
errors similar to "address in use".

19
 221778 Fixed an issue that occurs when HTTP based services use chunk encoding to
transfer large amounts of data, but at slow rates over time. One example was a
stock ticker widget that received a continuous stream of small price updates. When
this occurs over multiple connections simultaneously it can lead to out of memory
conditions. The slow data rate is significant because small packets bypass the
deduplication provided by scalable data referencing (SDR) and exacerbate memory
consumption. A chunk limit has been added to limit response data buffering.
Buffering limits have been put into place to prevent this from leading to errors
 225191 Fixed an issue where the SteelHead optimization service could crash if
sufficient contiguous memory is not available. This issue was fixed by preallocating
and reusing adequately sized memory blocks. In addition, connection load balancing
is now disabled whenever SDR-Adaptive is enabled.
 231991 Fixed an issue in the User Interface that made all port label names lower
case before being saved to the database.
 232738 This fix corrected the condition where accelerated responses to the Outlook
client were sent under the wrong authentication context resulting in the Outlook
client's state being corrupted.
 240007 Fixed an issue with CIFS Prepopulation Web UI and CLI interface showing
incorrect next full synchronization time.
 241231 Fixed an issue where the SteelHead could become unresponsive if the
Secure Peering gray list grew too quickly. With this fix, the rate at which peers are
added to the Secure Peering gray list is limited to once every 5 seconds.
 241422 Fixed an issue where accented characters or special symbols in the Message
of the Day (MOTD) banner could cause logins to fail or rendering problems in the
Management Console.
 242330 Fixed an issue where importing SSL certificates that have commas in their
hostname would cause an error in the Administration -> Security -> Web Settings UI
page.
 242661 Fixed an issue where a message "[rpch/csh.NOTICE] 1019415
{10.1.2.3:20000 10.4.5.6:80} HTTP headers > 64KB, passing through connection"
appears in the log. Under certain conditions, this message appears while examining
an HTTP connection for Outlook-Anywhere traffic to a web server that is not an
Exchange server. No workaround is needed. To prevent this message, you can
disable Outlook Anywhere auto-detect and add an in-path rule to use Outlook
Anywhere latency optimization only for Microsoft Client Access Servers (CAS).
 244238 Fixed and issue where the MIBs hrSWRunPerfCPU and hrSWRunPerfMem
were not reporting the correct values by the SNMP server. The SNMP server no
longer improperly parses the /proc/$pid/stat, causing incorrect values to be
returned.

20
 246056 Made improvements to memory handling in SteelHead models 1050L and
1050M to reduce the possibility of performance issues and memory paging alarms.
Such performance and memory paging issues had increased since the RiOS 9.0.x
release.
 247382 Fixed a problem in SteelHead SaaS backhauled deployment mode that could
cause a loss of connectivity on long-lived optimized SaaS connections. This issue can
happen if the SteelHead performing SteelHead SaaS redirection of optimized SaaS
connections has a high number of pass-through connections going through it. Under
such load the SteelHead might stop performing SteelHead SaaS UDP redirection of
the connection, leading to a loss of connectivity for those flows.
 247560 Corrected an issue where the web inactivity timeout was not being honored
in the web UI. After this correction, web UI sessions will get logged out after the
amount of time specified by the user in the "web inactivity timeout" setting. To
work around this issue, the CLI command "web session timeout" can be used to
enforce a timeout period.
 248345 Fixed an issue where the optimization service crashes by adding logic to
correctly identify freed memory in the store.
 248633 Fixed an issue that caused reverting to RiOS 9.0.1 or later to fail. This
occurred when an appliance's configuration database of a given name was deleted,
and then later another configuration of the same name was added. For some
databases, only the database for the current RiOS was deleted, while with others, all
databases including backed up versions for previous RiOS versions were deleted. On
revert, those databases where all previous versions were deleted could not properly
revert, causing the image revert to fail.
 248790 Fixed an issue where the SteelHead 'config-save needed' flag may light up
on the SteelCentral Controller for SteelHead every 24 hours when it receives an
update from the Riverbed Cloud Portal and the SteelHead has the SteelHead
SaaS/Cloud Accelerator feature and GeoDNS optimization enabled.
 248870 Fixed an issue where /config became full after thousands of logins to the
web UI and CLI occurred. This caused a flash_error alarm to be raised and errors in
the syslog, indicating many system services were unable to start.
 249243 Fixed an issue so that users can now select parent classes when viewing
traffic reports for QoS.
 249289 Fixed an issue to make sure that RiOS does not crash during shutdown when
an active splice requests domain information and the domain-auth config global has
already been destroyed.
 249863 Fixed an issue where user identity might be reassigned by SharePoint
optimization. Found that "Set-Cookie" headers were being saved and redistributed
by the SharePoint blade. These cookies may consist of user authentication
credentials and might cause a client to assume the identity of a prior user. This has
been corrected so credentials are not cached.

21
 250484 Fixed an issue wherein clicking a connection type on the Current
Connections page of the Management Console would behave incorrectly on
appliances not licensed for Space Communications Protocol Specifications (SCPS)
protocol.
 250562 Disabled a potential vulnerability where a user could visit a specific URL path
in the appliance's web user interface, and see some technical details about the web
server environment.
 251033 Fixed an issue where accented or other special characters in Application
names or descriptions caused the Current Connections page to stop loading and
display "Error Building Table".
 251589 Fixed a race condition that can occur during startup, leading to a soft-
lockup, which prevents the appliance from initializing. Messages such as the
following were seen on the console.
o BUG: soft lockup - CPU#0 stuck for 33s! [swapper:1]
o CPU 0:
o Pid: 1, comm: swapper Not tainted 2.6.32 #1 SteelHead
o RIP: 0010:[<ffffffff81023fc2>] [<ffffffff81023fc2>] set_mtrr+0xe2/0x1e0....
 251649 Fixed a problem that could lead to a crash if the SteelHead SaaS/Cloud
Accelerator and GeoDNS features are enabled under a high volume of GeoDNS
optimized SaaS Office 365 connections.
 252258 Fixed an issue so that HTTP to HTTPS redirection always uses the same host
name in the HTTPS URL as given in the HTTP URL. Previously, HTTP to HTTPS
redirection used the short hostname in the HTTPS URL, regardless of whether the
hostname in the HTTP URL was a fully qualified domain name or an IP address. In
some DNS configurations, this resulted in the redirection failing.
 252955 Fixed an issue that caused blank pages to show when accessing the webUI
through an intermediate proxy doing Port Address Translation (PAT).

22
 253253 CVE-2016-2073: The htmlParseNameComplex function in HTMLparser.c in
libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a
crafted XML document

Details:
libxml2 has CVE-2016-2073: The htmlParseNameComplex function in HTMLparser.c
in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a
crafted XML document.

Fix:
We have applied a patch to libxml2 to fix CVE-2016-2073.

Recommendation:
Upgrade to a version of the software with this fix.
 254783 Fixed an issue where the optimization service could crash when parsing
invalid HTTP chunked payload data with missing expected newline characters (CRLF).
This fix puts the connection in bypass state instead.
 254970 CVE-2016-0787: libssh2 vulnerability which could cause less secure keys to
be generated for encrypted traffic.

Details:
libssh2 has CVE-2016-0787, which could cause less secure keys to be generated for
encrypted traffic.

Fix:
We have upgraded libssh2 to fix CVE-2016-0787.

Recommendation:
Upgrade the software to a version with this fix.
 255391 Added a CLI command to set the serial bit rate of the remote management
console. Platforms that do not support this command (such as Tarpon) will indicate
so at the time the command is issued with no further effect.

23
 258529 OpenSSL Security Advisory May 3, 2016

Details:
From https://www.openssl.org/news/secadv/20160503.txt:
CVE-2016-2107: Padding oracle in AES-NI CBC MAC check (high). A man-in-the-
middle attacker can use a padding oracle attack to decrypt traffic when the
connection uses an AES CBC cipher and the server supports AES-NI (AES hardware
support). Some Riverbed appliance hardware does support AES-NI.
CVE-2016-2105: EVP_EncodeUpdate overflow (low)
CVE-2016-2106: EVP_EncryptUpdate overflow (low). This function is used by the
optimization service in SteelHead.
CVE-2016-2109: ASN.1 BIO excessive memory allocation (low)
CVE-2016-2176: EBCDIC overread (low). Not vulnerable, since the system does not
use EBCDIC.
CVE-2016-2108: Memory corruption in the ASN.1 encoder (high). Fixed in previous
releases: SteelHead 8.6.3, 9.0.1d, 9.1.1, 9.2.0; Interceptor 4.5.3, 5.5.0; SCC 9.1.0e,
9.2.0, SteelFusion 4.2.0, 4.3.0. For releases that do not have this fix, configure the
following to mitigate CVE-2016-2107: For "ssh server allowed-ciphers" do not
include aes128-cbc, aes192-cbc, or aes256-cbc (these are not enabled by default).
For "web ssl cipher" the default is "HIGH:-aNULL:-kKRB5:-MD5." To remove the AES
CBC ciphers, use "HIGH:-aNULL:-kKRB5:-MD5:-PSK-AES128-CBC-SHA:-PSK-AES256-
CBC-SHA." Note: If you have a different cipher string, there may be other AES CBC
ciphers that need to be disabled as well.

Fix:
Upgraded OpenSSL to 1.0.2h (for SteelHead 9.2.1, 9.3.0; Interceptor 5.5.1; SCC 9.2.1,
SteelFusion 4.4.0) or 1.0.1t (for SteelHead 9.1.3; Interceptor 5.1.0; SCC 9.1.1).

Recommendation:
Upgrade to a release with the fix.

Problems fixed in version 9.1.2c


 257487 Fixed an issue in the SSL client authentication code to correct a missing
SSLv3 initialization that was modified in the most recent OpenSSL upgrade. To work
around this problem, update to a RiOS version with the fix or disable SSL client
authentication if it is not necessary.

Problems fixed in version 9.1.2b


 250228 Fixed an issue where an authentication request to the ACS server failed if
the authentication policy required a remote IP address along with the username and
password.

24
 255623 The HTTPS channel between SteelCentral Controller and Steelhead does not
establish. REST feature policy pushes such as hybrid network, appstats, and
webproxy will fail. The SCC appliance pages will show Steelheads as
Disconnected/No HTTPS connection. The fix will help setup HTTPS channel between
SH and SCC and REST feature policy pushes will work fine.

Problems fixed in version 9.1.2a


 242979 Fixed an issue where persistently high CPU utilization can occur when the
system attempts to send very large files, such as a large system dump, via email.
Failure events, such as process crashes, send email notifications accompanied with
sysdumps and can trigger the high CPU.
 248606 OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-
3193, CVE-2015-3194, CVE-2015-3195. These are moderate vulnerabilities
described in https://www.openssl.org/news/secadv/20151203.txt.

Details:
OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-3193, CVE-
2015-3194, CVE-2015-3195. These are moderate vulnerabilities described in
https://www.openssl.org/news/secadv/20151203.txt.

Fix:
Upgraded OpenSSL to 1.0.2e or 1.0.1q to fix CVE-2015-3193, CVE-2015-3194, CVE-
2015-3195.

Recommendations:
Upgrade to a software version with this fix.

25
 250249 CVE-2016-0777: An information leak (memory disclosure) in OpenSSH client
related to the roaming connection feature.

Details:
CVE-2016-0777: An information leak (memory disclosure) can be exploited by a
rogue SSH server to trick a client into leaking sensitive data from the client memory,
such as private keys.
CVE-2016-0778: A buffer overflow (leading to file descriptor leak), can also be
exploited by a rogue SSH server, but due to another bug in the code is possibly not
exploitable, and only under certain conditions (not the default configuration), when
using ProxyCommand, ForwardAgent, or ForwardX11.
Note: CVE-2016-0778 does not apply to Riverbed appliances, because the specified
configuration options are not used. Both vulnerabilities apply only to client use, not
server use.

Fix:
We have upgraded OpenSSH to 7.1p2 to fix the above vulnerabilities.

Recommendation:
Upgrade to a version with this fix. Otherwise, avoid using the "ssh slogin" command
to log in to untrusted servers.
 250611 CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c.

Details:
When the caching DNS server is enabled, it is vulnerable to a denial of service attack.
A remote authenticated attacker can cause the DNS server to exit by sending a
malformed Address Prefix List (APL) record.

CVE-2015-8705 is not applicable, as this applies to BIND 9.10.x, and the version
currently used on appliances is 9.9.x.

Fix:
BIND named has been upgraded to 9.9.8-P3.

Recommendation:
Upgrade to patched version if applicable.

26
 250951 CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979: NTP security update.

Details:
NTP server before 4.2.8p6 has the following security vulnerabilities:
CVE-2015-8158: Potential Infinite Loop in ntpq
CVE-2015-8138: origin: Zero Origin Timestamp Bypass
CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast
mode
CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
CVE-2015-7977: reslist NULL pointer dereference
CVE-2015-7976: ntpq saveconfig command allows dangerous characters in
filenames
CVE-2015-7975: nextvar() missing length check
CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between
authenticated peers
CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
Of these, CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979 are applicable. CVE-
2015-7973, and CVE-2015-7979, are only applicable when authenticated NTP is
used.
More details of the CVEs can be found at
http://support.ntp.org/bin/view/Main/SecurityNotice

Fix:
We have upgraded the NTP server to 4.2.8p6 to fix these security vulnerabilities.

Recommendation:
Upgrade to a software version with the fix. If this is not possible, use multiple time
sources and avoid placing appliances on untrusted networks to minimize the
vulnerability to CVE-2015-8138.

27
 251797 CVE-2015-3197: a malicious client may cause a server to negotiate disabled
SSLv2 ciphers if SSLv2 is enabled.

Details:
OpenSSL before 1.0.1r has the following vulnerability:
CVE-2015-3197: a malicious client may cause a server to negotiate disabled SSLv2
ciphers if SSLv2 is enabled.
Note: SSLv2 is disabled on the appliances in the SteelHead, and SteelFusion product
line. This vulnerability is not applicable. This includes the web interface, and
optimization service on the SteelHead appliance.

Fix:
We have upgraded OpenSSL to 1.0.1r to fix CVE-2015-3197.

Recommendation:
Upgrade the software to a version with this fix.
 252446 CVE-2015-7547: buffer overflow in glibc getaddrinfo call for DNS lookups.

Details:
The GNU C library (glibc) had these vulnerabilities:
CVE-2015-7547: a buffer overflow in client DNS lookups (getaddrinfo) that might
allow malicious client connections from networks with malicious DNS servers to
cause crashes or other harmful effects in server software to which these clients
connect. This might affect servers (for example, SSH) that do DNS lookups on clients
connecting to them. Malicious client connections from networks with malicious DNS
servers can create the overflow conditions.
CVE-2015-5229: the calloc() function might return a pointer to memory that is not
filled with zero bytes.

Fix:
We have upgraded glibc to a version that fixes CVE-2015-7547 and CVE-2015-5229.

Recommendation:
Upgrade the software to a version with this fix. If this is not possible, avoid placing
appliances on networks exposed to untrusted DNS clients.

28
 253255 CVE-2016-0755: NTLM credentials not-checked for proxy connection re-use

Details:
libcurl will reuse NTLM-authenticated proxy connections without properly making
sure that the connection was authenticated with the same credentials as set for this
transfer.
This vulnerability is only applicable if the "network proxy" feature is configured to
use the "authtype ntlm". "network proxy" is only used for outbound management
connections such as configuration upload/fetch, or auto license.

Fix:
Upgraded curl to 7.47.1.

Recommendation:
Upgrade to patched version if applicable.
 253260 OpenSSL 1.0.2g/1.0.1s security update including CVE-2016-0800 SSL/TLS:
Cross-protocol attack on TLS using SSLv2 (DROWN)

Details:
A cross-protocol attack was discovered that could lead to decryption of TLS sessions
by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher
RSA padding oracle. Note that traffic between clients and non-vulnerable servers
can be decrypted provided another server supporting SSLv2 and EXPORT ciphers
(even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of
the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800).

This update also includes patches for these lower priority CVEs: CVE-2016-0702,
CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, and CVE-2016-0798.

For more details, see: https://www.openssl.org/news/secadv/20160301.txt and


https://www.openssl.org/news/vulnerabilities.html#y2016.

Note: SSLv2 is disabled on the appliances in the SteelHead and SteelFusion product
line. This vulnerability is not applicable. This includes the web interface and the
optimization service on the SteelHead appliance.

Fix:
OpenSSL upgraded to 1.0.2g or 1.0.1s where applicable. Note that the fix for CVE-
2016-0800 disables SSLv2 and "EXPORT" and "LOW" strength ciphers. See
https://www.openssl.org/news/secadv/20160301.txt.

Recommendation:
Upgrade the software to a version with this fix.

29
 253547 Fixed a software issue that caused model upgrades to fail. This fix fully
restores the model upgrade functionality.
 254168 Fixed an issue where a bug in RiOS version 9.1.2 caused high CPU usage by
the QoS process when using deep packet inspection for TLS traffic. This patch
resolves this issue.

Problems fixed in version 9.1.2


 167751 Fixed an issue where the optimization service on a SteelHead crashed when
the SteelHead disconnected from an optimization peer. The issue occurred when
the SteelHead was processing a large number of FTP or MAPI connections.
 218962 Fixed an issue where the SteelHead application classification engine was
classifying certain applications wrong. For example, O365 connections could be
classified as Skype. The classification engine has been upgraded to a version that
correctly classifies all supported applications.
 225445 Fixed an issue where the optimization service could crash during the CIFS
share directory parse operation. This fix added checks to avoid accessing invalid
information that could cause the optimization service to crash.
 226757 Fixed an issue where log messages make it look like the "yarder_rbt"
process has crashed when it has actually shut down normally. The amount of time
that the system process manager waits for a process to shutdown before forcing it
to exit has been increased for "yarder_rbt".

30
 235947 cURL cumulative security update for security advisories adv_20150422A,
adv_20150422B, adv_20150422C, and adv_20150422D

Details:
CVE-2015-3143
NTLM-authenticated connections could be wrongly reused for requests without any
credentials set, leading to HTTP requests being sent over the connection
authenticated as a different user. This is similar to the issue fixed in DSA-2849-1.
CVE-2015-3144
When parsing URLs with a zero-length hostname (such as "http://:80"), libcurl would
try to read from an invalid memory address. This could allow remote attackers to
cause a denial of service (crash). This issue only affects the upcoming stable (jessie)
and unstable (sid) distributions.
CVE-2015-3145
When parsing HTTP cookies, if the parsed cookie's "path" element consists of a
single double-quote, libcurl would try to write to an invalid heap memory address.
This could allow remote attackers to cause a denial of service (crash). This issue only
affects the upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148
When doing HTTP requests using the Negotiate authentication method along with
NTLM, the connection used would not be marked as authenticated, making it
possible to reuse it and send requests for one user over the connection
authenticated as a different user.

Not Applicable:
CVE-2015-3144, and CVE-2015-3145

Fix:
Upgraded cURL utility to 7.44.0

Recommendation:
Upgrade to patched version if applicable.
 236378 Fixed an issue where under heavy load conditions, SteelHeads in a
Connection Forwarding cluster would fail to send control messages to their
connection forwarding neighbors, resulting in the neighbors failing to remove stale
entries leading to an out-of-memory condition. An enhancement has been made
that reduces control-message failures on the SteelHead so that out-of-memory
conditions and process failures on neighboring Steelheads and Interceptors no
longer occurs.

31
 237568 Fixed an issue where the Path Selection engine would log an INFO level
message once for every flow based on customer policies. This issue could
overwhelm the logs in cases where there are a large number of relayed flows. The
fix ensures that RiOS does not log the message for any relayed flows.
Example message:
[rbtqos.INFO] 172.29.81.103:61919 -> 10.3.5.60:445 proto 6 now being relayed
Excessive logging of this message could leave to rate limiting, indicated by a
'kernel:__ratelimit' messages.
 238050 Fixed an issue where SNMP access might be very slow (an hour or so) when
there is a large number (tens of thousands) of connections due to an insert-and-
sort-each-time procedure. Tools like snmpwalk time out. The SNMP server has been
changed to build its internal array of connections more quickly so that a snmpwalk
or snmpbulkwalk query to an appliance with tens of thousands of connections will
take a few minutes instead of a few hours.
The use of the -t option in snmpwalk or other tools might still be necessary to
increase the timeout, but a more reasonable value like "-t 200" can be used.
 239271 Fixed an issue where the optimization service could crash when LAN or WAN
cables were removed and/or reconnected while the appliance was optimizing
connections.
 241025 Fixed an issue where out-of-memory conditions on the CX555 appliance
model could lead to restarts of optimization and other vital services. This fix
adjusted memory handling of the CX555 appliance to reduce the likelihood of hitting
an out-of-memory condition. Out-of-memory conditions can lead to restarts of
optimization and other vital services.
 241099 Fixed an issue in the Management Console's handling of Unicode characters
wherein the use of special characters or accented letters in the 'login message'
banner could break some pages or prevent login. This fix does not address a similar
issue with the MOTD banner, where the same characters can break some pages or
prevent login.
 242060 Fixed an issue where the optimization service would crash or large numbers
of error messages stated, “Unable to construct frame from …,― by changing
the way the SteelHead parses traffic so that newer Citrix protocol variants are
bypassed.
 242681 Fixed an issue where an incompatibility with the SSL handshake TLS
extensions caused failed SSL connections with Microsoft Server 2012 R2 and
SharePoint online. Other Microsoft product updates were likely susceptible, too.
The Microsoft implementation was found to be dropping connections when the TLS
signature extension was not present. The extension was enabled in subsequent
versions of RIOS.

32
 243171 Fixed a problem where a race condition corrupts the connections map data
and causes the optimization service to crash when Outlook Anywhere is enabled.
Applied fixes to improve management of strings and reduce race conditions so the
connection map would not be corrupted.
 244078 Fixed an issue, introduced in RiOS 9.0, that prevented the "web http
redirect" command from automatically routing Management Console traffic to the
secure HTTPS port. When this command was executed access to the Management
Console failed in a redirect loop.

Workaround:
Use https:// instead of http:// to access the web UI.

Additional Information:
When connecting to fixed versions, the browser cache may still need to be cleared
in some cases.
 244916 Fixed an issue where HTTP responses could drop during the transition from
optimized individual transactions to bypassed pipelined requests.
 245069 Fixed an issue where the optimization service was mishandling an oplock
break response from an optimized SMB3 encrypted connection from the server,
resulting in a failed file download. With this fix, the oplock break responses are
correctly handled and the client is able to read or download the file.
 246124 Fixed an issue where the SNMP ifindex for wan6_1 could differ between an
upgraded and factory defaulted appliance. The index value, introduced in RiOS 9.1.1,
could be 109 or 114 depending on which version the appliance was upgraded from
and to, and whether a factory default was applied. The fix ensures that the index
value is 109 in both the upgraded and factory default cases.
 246275 Fixed an issue where the optimization service could crash while processing
an SMB2 getinfo response from the server. This fix added checks to avoid accessing
invalid information that could cause the optimization service to crash.

33
 246966 CVE-2015-7871: Crypto-NAK packets can be used to cause ntpd to accept
time from unauthenticated ephemeral symmetric peers by bypassing the
authentication required to mobilize peer associations

Details:
NTP has security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security
_Vulner
Only CVE-2015-7871 is applicable:
Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated
ephemeral symmetric peers by bypassing the authentication required to mobilize
peer associations.
The following vulnerabilities are not applicable:
CVE-2015-7855
CVE-2015-7854
CVE-2015-7853
CVE-2015-7852
CVE-2015-7851
CVE-2015-7850
CVE-2015-7849
CVE-2015-7848
CVE-2015-7701
CVE-2015-7703
CVE-2015-7704, CVE-2015-7705
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702

Fix:
Upgraded NTP to 4.2.8p4 to address the security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security
_Vulner, notably CVE-2015-7871.

Recommendation:
Upgrade to patched version if applicable

34
 247050 CVE-2015-3238: An attacker able to supply large passwords to the unix_pam
module could use this flaw to enumerate valid user accounts or cause a denial of
service on the system.

Details:
The PAM module has been upgraded to fix the vulnerability caused by CVE-2015-
3238, where an attacker able to supply large passwords to the unix_pam module
could use this flaw to enumerate valid user accounts or cause a denial of service on
the system.

Fix:
The PAM module in RiOS has been updated to a patched version to address the CVE.

Recommendation:
Upgrade to a patched version.
 247443 Fixed Datakeg error and warning messages related to the SCA component.
These messages did not affect appliance functionality.
Example messages:
Nov 4 01:36:53 csh datakeg[6085]: [datakeg_lib.ERROR] Error running
/sbin/sca_datakeg.py acshs: No such executable /sbin/sca_datakeg.py
Nov 4 01:36:53 csh datakeg[6085]: [datakeg.WARNING] Problem with collecting
metric sca.acshs.
 247522 Fixed an issue where the optimization service crashed with Outlook
Anywhere enabled when a client did not have any more connections to the
Exchange Server or during client connect. During the tracking of Outlook Anywhere
connections associated with a client and server pair, a table would, at times,
become corrupted. This fix corrects the way RiOS does comparisons on this table.
 248614 Fixed an issue where VMware tools would not run on virtual SteelHead
appliance models x50 and xx50, in RiOS 9.1.0 and later.

Problems fixed in version 9.1.1a


 222693 Fixed an issue when RADIUS authentication is configured, passwords longer
than 272 characters can cause the Management Console to become temporarily
unavailable. This issue is only applicable if RADIUS based authentication is used on
the appliance. A fix in the third-party PAM_Radius library was made to prevent the
Management Console from exiting and restarting when passwords longer than 272
characters are entered. A restart of the Management Console triggers the following
message in the system log, and in an email notification: "Process failure: manage.py"
Workaround: Temporarily disable RADIUS based authentication. Recommendation:
Upgrade to patched version if applicable.
 245362 Fixed an issue where an IPMI alarm could be triggered by a false power
supply predictive failure state.

35
 246248 Fixed an issue where upgrading a SteelHead model SHA150 to RiOS 9.1.0 or
later fails and falls back to the previously installed version.
 247748 Fixed an issue where the optimization service could crash when both HTTP
optimization and Outlook-Anywhere auto-detection are both enabled, and certain
types of unexpected HTTP traffic is processed. The RPCH HTTP header parsing state
machine got into a state in which it was expecting headers but could not find any.
This change verifies that headers exist before trying to access them

Problems fixed in version 9.1.1


 161036 Fixed an issue where a SteelHead connecting to the Cloud Portal through a
proxy server would present the Content-Length header, causing a failed connection.
The SteelHead now does not include Content-Length in the request. A hidden
command has been added to allow the SteelHead to revert to previous behavior, in
the case of proxy servers that require it.
 198675 CVE-2013-4782 - A BMC security vulnerability was discovered that impacts
SteelHead xx50, EX560, and EX760 models.

Details:
A BMC security vulnerability was discovered that impacts SteelHead xx50, EX560,
and EX760 models.

CVE-2013-4782 - The BMC implementation allows remote attackers to bypass


authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka
cipher zero) and an arbitrary password.

Recommendation:
Upgrade to patched version if applicable.
 220037 Fixed an issue where a kernel panic could occur when successive IP
fragments belonging to a transparent, optimized, and locally existing connection
arrived on the optimization module and another interface (e.g. the primary
interface). The fix is to make sure that the optimization module uses its own
defragmentation queue instead of the defragmentation queue of the kernel.
 220338 Fixed a problem that prevented the "monitor" user from selecting the units
to be displayed in both the Inbound and Outbound QoS reports. Previously, the
selection drop-down list was improperly disabled.

36
 221961 SSL optimization fails with error "SSL3_GET_SERVER_HELLO:parse tlsext"
when Client Authentication is enabled on the SteelHead and the client/server
negotiate use of SSL Session Tickets. Session Tickets can be used for SSL session
resumption and are negotiated by the client and server during the SSL handshake.
Both the client and the server must advertise support for Session Tickets in order for
Session Tickets to be used.
In a typical SSL optimization, the SSL handshake is terminated at the server-side
SteelHead. Since the SteelHead does not support Session Tickets, the SteelHead did
not advertise support for them and the Session Tickets were never used.
However, when Client Authentication is enabled on the SteelHead, Client
Authentication must allow the client and server to negotiate directly, which may
result in a Session Ticket being established. The SteelHead later encounters an error
when parsing the SSL handshake messages and the connection fails.
To remedy this, Session Ticket support must be enabled on the SteelHead by using
the following CLI command:
[no] protocol ssl backend client session-ticket
This command allows the SteelHead to parse the SSL handshake messages
containing Session Tickets.
Note that this does not imply that the SteelHead can decrypt Session Tickets
generated by another server. This means that the servers doing Client
Authentication cannot be optimized when the client uses a Session Ticket to resume
a session. (Session resumption using Session ID is still allowed).

However, if the server is not doing Client Authentication, the SteelHead


retroactively terminates the connection at the SteelHead. The only difference is
that the original client handshake message was forwarded to the server. Forwarding
the handshake message, allows the SteelHead to generate its own Session Tickets
and enables SSL optimization to work in all resumption cases. Subsequent
connections to the server will terminate at the SteelHead and will follow the typical
SSL optimization model.
The solution is to disable SSL Client Authentication.
 231646 Fixed problem where packets could be corrupted when the SteelHead has
DSCP marking enabled and sees VLAN tagged broadcast packets (such as DHCP)
going from LAN to WAN.
If a software upgrade is not an option, disable DSCP marking or change specific
rules.
 235715 Fixed an issue where, in rare cases, the priority detection used to label Citrix
MSI traffic for QoS fails to correctly identify the stream priority. In this case, the
stream is identified as Citrix-CGP. Additionally, SSL warnings may be seen when the
connection is closed.
The Citrix optimization feature now looks for any occurrence of the priority
command, not just the first one, until it identifies a valid priority.

37
 237772 Fixed an issue where, on SteelHead models CX255, CX570, and CX770, the
LAN and WAN interface links can go down briefly during an optimization service
restart. This issue existed on all previous RiOS releases.
 238512 Fixed an issue with GeoDNS for SteelHead SaaS Office 365 optimization
causing high CPU overhead. This could happen either when a large number of clients
are being GeoDNS optimized or when clients are using a different DNS server than
those configured on the SteelHead appliance.
 238925 Fixed an issue where QoS-related processes crash repeatedly after reboot
when a new in-path interface is added after configuring remote sites.
 239153 Updated Web-Proxy cache to support HTTP/1.1 so that HTTP Pre-population
can be utilized.
 239490 Fixed an issue where the logs were being flooded with QoS related
messages in certain path selection deployments. This bug fixes this issue by
changing the log level of the messages.
 239757 Fixed a bug where a certificate, created using a CSR from the SteelHead,
could not be used to "replace" the current certificate through the Web Settings
page.
 239947 RiOS OpenSSL security update for advisory - secadv_20150611
Details:
This update patches the following issues:
CVE-2014-8176: Invalid free in DTLS
CVE-2015-4000: DHE man-in-the-middle protection (Logjam) - Extended fix
CVE-2015-1788: Malformed ECParameters causes infinite loop
CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1790: PKCS7 crash with missing EnvelopedContent
CVE-2015-1791: Race condition handling NewSessionTicket
CVE-2015-1792: CMS verify infinite loop with unknown hash function
For more information, see: https://www.openssl.org/news/secadv_20150611.txt

Fix:
Of these issues, RiOS is NOT vulnerable to:
CVE-2015-4000 as DHE ciphers are not supported.
CVE-2015-1788 as Elliptic Curve ciphers are not used.
CVE-2015-1791 Session Tickets are not supported.
CVE-2014-8176 as DTLS is not supported.

However, the OpenSSL library in RiOS has been updated to a version that implicitly
patches all the above issues.

Recommendation:
Upgrade to patched version if applicable.

38
 240539 Fixed an issue in SteelHead version 8.6.x and later where a path-selection
policy push from the SCC to SteelHead would fail.
 240747 Fixed an issue where a kernel panic could occur in certain configurations
using full address transparency in-path rules, leading to an optimization service
restart. This issue impacts RiOS v8.6.2 and later, v9.0.x, and v9.1.x.
 240843 Fixed an issue where a false positive redundant power supply alarm would
raise and clear intermittently. A symptom of this bug is seeing the alarm
consistently clear one minute after it was raised.
 240976 Fixed an issue where a kernel crash could occur affecting appliances running
traffic across an interface with an e1000e driver, which is commonly used by several
models on the on-board in-path interface. Messages such as these can be seen:
Jun 20 08:53:57 localhost kernel:IP: [<ffffffff8144dfe1>]
e1000_xmit_frame+0xd51/0x1000
 241120 Fixed an issue where a UI page load error appears when trying to open
pages such as QoS and 'Sites and Networks.' This error occurs when a SteelHead
appliance has an interface card installed in slot 6.
Messages like the following appear in the system logs:
Jul 8 09:19:19 sv-sh202 lumberjack_rbt[35484]: [sh.appflow.INFO] The wan6_0
interface ifindex is not available.
 241291 Fixed an issue where packets decrypted using Secure Transport were not
sent out with the configured VLAN of the optimization interface when the
connection-based VLAN feature is enabled. Decapsulated packets would need to
pick up the VLAN configured on the optimization interface even if the connection-
based VLAN feature is enabled.
 241333 OpenSSL cumulative security update for advisory - secadv_20150709
Details:
This update addresses the following issues:

CVE-2015-1793: Alternative chains certificate forgery


For more information, see: https://www.openssl.org/news/secadv_20150709.txt

Fix:

The OpenSSL library in RiOS has been updated to version 1.0.1p to patch the above issue.

Recommendation:

Upgrade to patched version if applicable.


 241340 OpenSSL cumulative security update for advisory - secadv_20150709

39
Details:
This update addresses the following issues:
CVE-2015-1793: Alternative chains certificate forgery
For more information, see: https://www.openssl.org/news/secadv_20150709.txt

Fix:
The OpenSSL library in RiOS has been updated to version 1.0.1p to patch the above issue.

Recommendation:

Upgrade to patched version if applicable.

 241573 Fixed an issue where the Outlook Anywhere auto-detect mechanism could
misinterpret HTTP payload and cause an optimization service crash. The fix allows
identification of unexpected source responses, the connection is passed though, and
a message is logged: "enable pass-thru: unexpected data after headers." Disable
Outlook Anywhere auto-detect and add an in-path rule to use Outlook Anywhere
latency optimization only for Microsoft CAS servers.
 241773 Fixed a crash that can occur while optimizing MAPI RPCH traffic caused by
negative Content-Length headers. Although it is not allowed by the HTTP
specification, Microsoft servers can return negative Content-Length header values,
which trigger an ASSERT in the RPCH code. Instead of crashing, with this fix the
software passes through the traffic and logs an INFO level log: "enable pass-thru:
Content-Length header is negative: -1".
 241917 CVE-2015-4620 - ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x
before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation,
allows remote attackers to cause a denial of service.
Details:

name.c named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2,
when configured as a recursive resolver with DNSSEC validation, allows remote attackers to
cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing
crafted zone data and then making a query for a name in that zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to address CVE-
2015-4620.

Recommendation:

Upgrade to patched version if applicable.

 241918 CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a


denial of service.

40
Details:

A denial-of-service (DOS) flaw was found in the way the libxml2 library parsed certain XML
files. An attacker could provide a specially crafted XML file (related to an XML Entity
Expansion (XEE) attack) that, when parsed by an application using libxml2, could cause that
application to use an excessive amount of memory.

Fix:

The libxml2 has been updated to patch CVE-2015-1819.

Recommendation:

Upgrade to patched version if applicable.

 241998 Fixed an issue where the Application Statistics REST API "resolution" and
"rollup_function" parameters were incorrectly exposed. Setting these values may
result in inaccurate data. Do not set these unsupported parameters.
 242237 Fixed a problem where the reset of TCP connections on 32-bit appliances
failed due to mismatched library versions. Fixed by using the appropriate library for
32-bit appliances.
 242633 Added and enhancement to improve the size allocations for SSL encryption
buffers. This change reduces the amount of memory allocated for small SSL alert
messages. Additional Info: This change is not a solution to SSL sizing constrains and
will not increase the secure connection capacity on a SteelHead.
 243604 Fixed an issue on the Web Proxy that caused intermittent access to certain
Web pages. This behavior occurs when the Web server that the client is connecting
to sends a Keep-Alive header in the HTTP response. As a result, the connection
between the client and the proxy, and the connection between the Web proxy and
the server are kept alive.
If the server sees no data for some time, it closes the socket on its side (generally
after a short timeout).
The client, during this time, initiates a new HTTP request on the kept alive
connection to the proxy. The Web proxy then sends a "Service Unavailable" error
and also closes the connection to the client because it cannot guarantee that the
configured network rules for the client-side connection can be applied on a new
server-side connection.

To fix this issue, when the server closes the connection, the SteelHead propagates
the connection close to the client. This ensures that the client does not reuse a
connection that has the corresponding server connection closed.

41
 243632 Fixed an issue where a kernel crash could occur crash when the system was
low on available memory. The signature of the crash is a message like the following:
Aug 22 02:16:15 localhost kernel: [<f9287d03>] hnbi_delete_init_data+0x2b/0x50
[nbt]
 244832 CVE-2015-5986 - openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-
P3 allows remote attackers to cause a denial of service.
CVE-2015-5722 - buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service.

Details:
CVE-2015-5986: openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3
allows remote attackers to cause a denial of service (REQUIRE assertion failure and
daemon exit) via a crafted DNS response.
CVE-2015-5722: buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service (assertion failure and daemon exit) by creating
a zone containing a malformed DNSSEC key and issuing a query for a name in that
zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to 9.9.7-
P3.

Recommendation:
Upgrade to patched version if applicable.

Note: the DNS cache feature which utilizes BIND is turned off by default, and does
not use DNSSEC.
 245223 Fixed an issue where the optimization service might crash when the system
recycles an Outlook Anywhere connection in a way that is not permitted by the
protocol.
 246054 Fixed an issue in RiOS 9.0.0 and later where system service issues could lead
to symptoms such as a database configuration switch errors like the following:

"Config change has not completed successfully"


An additional symptoms is the Secure Transport service not starting properly.
A condition that makes this failure more likely is a DNS server being unreachable
(such as a network failure).
To work around this issue, switch away from the configuration, and then switch back
to the desired one. If the error persists, restore DNS reachability and re-attempt the
configuration switch.

42
 246073 Fixed an issue where optimized HTTP connections could fail due to the
interaction of HTTP Prefetch optimization, Outlook Anywhere optimization, and the
use of chunked encoding by the HTTP server. With this fix, the two optimizations
now interact correctly and client HTTP connections are no longer blocked.

Problems fixed in version 9.1.0


 92015 Fixed a race condition that caused the AppFlow engine classification to fail
with a ‘navl_conn_init failed: 17’ error string in the syslog. This caused the affected
connection to be misclassified.
This race condition occurred when:
o A MFE receives a pure-SYN after the inner connection between the client and
the server SteelHead fails.
o The fw-RST feature is enabled for transparent inner connections.
o Packets ricochet from one in-path interface to another.
 100602 Eliminated the error messages which were for internal in the CLI that
appeared when customers used dump commands such as, sysdump or tcpdump.
These errors were harmless.
 116348 Fixed a problem seen during stress tests when the SMB2 Client Redirector
Cache is disabled on the client SteelHead. The SMB2 blade reused an old search
pattern associated with a file handle, that was used during SMB2 QUERY/FIND
requests in the process of reusing cached file handles. This fix clears the search
pattern when the file handle is closed from the client SteelHead.
 139998 Fixed an issue where the interface link state could go down intermittently
due to spurious interrupts with the MSI-X interrupt scheme. Changed to an MSI
interrupt scheme that allows the system to better handle spurious interrupts.
 150590 Fixed an issue where optimization of Microsoft Office 365 connections
through the SteelHead Cloud Accelerator (SCA) would cause delays when Outlook is
first started on a client machine. This happened because Outlook autodiscover
connections that are reset by server were re-established slower than they would
have without SteelHeads, because of a difference in connection entry timeouts. A
hidden command has been introduced to make this interaction with autodiscover
connections better.
 154426 Fixed a very rare issue that the caused RiOS optimization service to crash
due to an infinite loop when processing CIFS reads. Please see the KB article S26688
for steps to identify this issue from process dumps.
 156420 In rare cases, when enabling the "Object Prefetch Table" on the SteelHead,
there would be page load failures caused by serving stale page data. The expiration
date of cacheable response data was being reset every 12 days. In rare cases, such
responses remained accessible in the cache and would be returned to clients. The
timing mechanism has been corrected by this fix.

43
 157376 The path history in the Connection History report did not list paths in the
correct order when multiple path fail-overs occur in a fraction of a second. The
previously used path was reported first followed by the most recently used path.
This fix enables the path history in the Connection History report to display the
paths based on most recently used at the top and least recently used path at the
bottom.
 158949 Fixed an error message so that it is clear that a timeout occurred during the
download of a RiOS image using the secure copy (scp) tool. For clarity, the error
message now starts with "scp timeout:".
 159063 Fixed an issue where an internal misconfiguration in QoS shaping might
result in unfairness to a flow with small packets. A large queuing delay might be
observed for small packet flows. The internal misconfiguration in the SFQ quantum
has been fixed.
 106732 The Riverbed Support site was changed to display sha256 checksum value
for the SteelHead images. Fixed the CLI command "show images checksum" to show
SHA256 checksum value instead of MD5 checksum value.
 161841 Fixed an issue where the heimdal module does not correctly invalidate
closed socket descriptors resulting in a subsequent RiOS crash.
 163866 Fixed a rare issue where the optimization service can crash if a MAPI
connection was hitting the Admission Control limit.
 163894 Fixed an issue where the QoS deep-packet inspection (DPI) setting for
NetFlow required at least one CascadeFlow collector to be configured. The ‘show
running-config’ CLI command listed the QoS DPI setting before the collector. If this
output was used to reconfigure the SteelHead, the push for QoS DPI would have
failed. The CLI command, ‘show running-config’ now recreates the QoS DPI setting
after the NetFlow collector configuration to allow it to check for at least one
configured CascadeFlow collector before enabling QoS DPI.
 164769 A thread deadlock race condition has been corrected inside the live video
stream splitting implementation. When encountered it resulted in the watchdog
thread instigating an optimization service restart preceded by an event thread
indicating "not healthy after at least 15s".
 164780 Fixed an issue where SMB2 connections were reported as CIFS on the
Current Connections report, if one of the following was also enabled: Path Selection,
Quality of Service, Netflow DPI, or Application Visibility.
 164815 Fixed an issue that caused a failure of mapping network shares with
Windows login scripts when SMB2 latency optimization is enabled. With this issue,
Windows machines could not run the login script that automatically maps network
shares when SMB2 latency optimization is enabled. The issue is due to denying read
requests when the file is opened with execute permissions.

44
 165554 Fixed problem where the client-side SteelHead attempts to connect to a
decommissioned Akamai Cloud SteelHead. This would result in pass through
SteelHead Cloud Accelerator connections with the reason: "Inner failed to
establish". Additionally, the logs contain "Peer x.x.x.x is unreachable or
incomparable" or "Error connecting to the peer OOB". The fix improves the system
log output when the log level is set to debug and sets the timeout for the intercept
proxy table entry when the value was incorrect.
 168012 Fixed the auto completion for host and port labels for QoS and path
selection CLI commands.
 173478 Fixed issue where the SteelHead was not properly releasing memory when
the CLI, Management Console, or SteelCentral Controller (SCC) was viewing or
manipulating the HTTP server/subnet configuration table.
 173560 Fixed an issue in the SMB2 blade when handling requests that were split
into multiple PDUs by the client.
 187856 Fixed an issue where the path selection service was using stale information
after optimization service was disabled for a relay on the SteelHead.
 192781 Fixed an issue that causes an out-of-memory condition on the client-side
SteelHead leading to a crash of the optimization service. The issue is due to the
buffering of write requests during NFS write-behind optimization. The fix enables
NFS flow control by default in the write-data path.
Note: NFS clients using 1M writes might experience bug 231508
 193140 Fixed an issue where the Excel file save operation fails on SMB2 connections
on MAC clients. This fix disables the SMB2 idle-foi feature by default, because on
alternate streams it is typically used for metadata operations.
 193447 Fixed an issue where an encrypted MAPI connection is reported as MAPI
instead of MAPI-Encrypt on the the Current Connections report when any of the
following was enabled: Path Selection, Quality of Service, Netflow DPI, or
Application Visibility.
 195691 Fixed an issue where under certain conditions, TCP acknowledgement is not
sent during connection kickoff. Fixed the logic that generates TCP RST packets
during connection kickoff to set the TCP ACK flag when appropriate.
 196320 When optimizing Microsoft Office 365 with SteelHead SaaS, the GeoDNS
feature might not take effect. Fixed this issue by changing the SteelHead code to
remain in synchronization with data delivered by the Cloud Portal, in order to avoid
intermittent lack of GeoDNS.
 196456 Fixed an issue to ensure that all compound request (specifically SetInfo
requests) are appropriately released following a failed create on the SMB2 session.
This prevents the RiOS crash seen on this bug

45
 197755 Fixed an issue where, when configuring login security in the SteelHead
Management Console, certain combinations of RADIUS authentication and remote
authorization, without the presence of a RADIUS server, would cause an error
messages to appear out of sequence.
 198747 Fixed a problem where a SteelHead REST API service could query another
service while it was starting up. This problem occurred under the following
circumstances:
- SteelHead boot or reboot
- SteelHead upgrade
- Start or restart of the SteelHead process that hosts the REST API service.
 200056 Fixed an issue where in a very rare case when flow collectors are configured
and the primary interface's IP address is changed during appliance boot-up, error
messages, ‘[netflow.ERR] - {- -} uninitialized socket error in send,’ could be seen in
the system log.
The collector exports netflow records using UDP socket. The fix binds the UDP
socket to the interface instead of IP address in order to export the records. With the
fix, the socket bind issue is resolved, caused due to change in IP address by DHCP.
 200222 Fixed problem where the "reset factory" CLI command does not reset
configuration settings for all features on the SteelCentral Controller to their default
values.
 200780 Fixed an issue where the application options for path selection rules did not
update when a new application was created in another tab or by another user.
 201202 Fixed an issue where DSCP/VLAN rules fail to match as expected.
 201550 Added an enhancement where any errors associated with the QoS migration
process are printed on the Quality of Service page, after a pre-9.0.0 to 9.0.x
upgrade.
 202160 Fixed a bug where the "Internet Protocol" setting for the gateway test on
the Network Health Check page was not properly processed and the test always
generated an error.
 202581 Fixed a script-execution vulnerability that could be exploited by special tools
that sent specific kinds of URLs to the appliance.

46
 202583 Management Console denial of service with malicious requests

Details:
A logged-in SteelHead user, using special tooling can make the Management
Console unavailable. The attack requires that a valid login and that a specific request
be altered by an external packet-modification tool.

Fix:
Implemented better exception handling to prevent denial of service attacks due to
malformed requests.

Recommendation:
Upgrade to patched version if applicable.
 202809 RiOS v9.1 includes additional log messages and a counter to identify the
delay between connection forwarding neighbors.
 203006 Fixed an issue where the connection between the new Windows v10 client
and servers could be black-holed if it is using the new SMB v3.1 dialect and the
feature called Pre-authentication integrity. The SMB2-signing blade, when enabled,
now detects if the client is sending the SMB v3.1 dialect and removes itself out of
the splice, allowing the connection to continue in pass through without latency
optimization.
 203283 The size limit for video fragments is no longer incorrectly driven off the
Object Prefetch Table cache limit. This fix restores the higher video fragment limit.
 203756 Some users thought that the system time in the upper right-hand corner of
each Web page always reflected the current time on the SteelHead. However, the
time was actually static and never changed. With this fix, the SteelCentral Controller
now keeps the system time current by updating it periodically.
 204223 The secure transport client service (stp_client) is designed to retry on such
failures. These are innocuous log messages and their severity level has been
reduced.
 204247 In a heterogeneous environment of Windows 2003 and 2008 domain
controllers (DCs), a problem where the SteelHead connects to the Windows 2003 DC
instead of the Windows 2008 DCs to complete NTLM-transparent authentication in
ADI-2k8 mode was fixed.
 204386 Fixed an issue where while starting the Virtual SteelHead, a system log
warning might be displayed stating, ‘MSPEC license has expired or been removed.
Terminating sport.’ This warning is invalid and can be ignored. The fix removes a
redundant licensing check at startup which might cause confusing log messages
about license expiration.

47
 205238 Fixed an issue where the Path Selection page makes a large request every 10
seconds when idle. The information retrieval process was modified to request the
list of application options for path selection rules asynchronously after the initial
page load every 30 seconds instead of every 10 seconds.
 205330 RiOS has changed the way it computes output buffer lengths requested in
find requests generated by the client SteelHead. RiOS always requests either 512K
or finds a prefetch window size, whichever is the minimum, thereby ensuring that
the output buffer length is never too small.
 205471 Fixed an issue where when WCCP is used to redirect traffic to on a
SteelHead and the encapsulation scheme is set to ‘Either’ on the SteelHead, packets
could be GRE redirected to a router even though the WCCP redirection was
negotiated to be Layer2 only. The fix addresses when multiple service groups are
configured and either GRE or Layer2 redirects could be the negotiated method for
WCCP.
 205495 Fixed an issue so that existing system event log entries are now cached in
RiOS and only new entries need be retrieved through the IPMI. Prior to the fix the
SteelHead Management Console or CLI might become slow and unresponsive and
the following message would appear in the logs:
[mgmtd.NOTICE]: Waited [x] secs for [query request], Bindings (1 of
1):{/hw/hal/ipmi/query/allevents,N/A,N/A}
 205588 Fixed a bug were some role-based management users (that is, users who
had "Read-Only" permissions for in-path rules and "Deny" for all other roles)
encountered an error message when viewing the In-Path Rules page.
 205609 Fixed an issue that caused SteelHead CX250 models to hit a low memory
condition when datastore encryption is enabled. Fix adjusts memory Admission
Control values for CX250 series to account for datastore encryption.
 205796 Fixed an issue where the "Uplink None not defined" error appears when the
path-selection CLI command prevents a user from resetting the path choice in a path
selection rule.
 205942 The kernel statistics API has been patched to handle the invalid sockets
gracefully and will no longer crash.
 206144 Fixed an issue that caused increased memory usage on repeated accesses to
the Path Selection page on Web3. The information retrieval process was modified to
request the list of application options for path selection rules asynchronously after
the initial page load every 30 seconds.
 206287 Fixed an issue where certain CLI commands such as ‘no stp-client controller’
and ‘show stp-client status’ would hang and eventually timeout with an error.
The timeout was due to an unhandled error condition. The error conditions leading
to this timeout are gracefully handled now.

48
 206552 Correctly suppress the inbound QoS bandwidth for the primary interface
since inbound QoS is not supported on it.
 206555 Fixed an issue where a monitor user could navigate certain Web pages from
which they are restricted.
 206620 Fixed an issue where pass through connections can lead to incorrect
asymmetry warning messages in the system logs, similar to, ‘ITSEELM-WA0008
kernel:[intercept.WARN] it appears as though probes from 10.0.0.1 to 10.10.2.9 are
being filtered. Passing through connections between these two hosts.’
The warning has no negative impact on the functioning of the SteelHead. The
spurious warning message is fixed.
 206905 QoS rules are fixed to match both application name and description fields.
 216469 A memory leak occurs when the SteelHead adds an SSL server to the bypass
table. Over time this can lead to premature admission control. Corrected code that
was failing to deallocate X509 certificate information.
 216769 Fixed an issue where the font size on the log pages of the SteelHead
Management Console are sometimes too small or too large for the user.
Now on the SteelHead Management Console Log page, users can adjust the font size
of the logs. This functionality is not available on Internet Explorer v8 or earlier.
 216839 Fixed a problem with Current Connections report in the SteelHead
Management Console and the CLI, neither of which showed the per-connection QoS
information in v9.0.0. RiOS v9.0 changed the internal architecture of the QoS
feature. The Current Connections report in the Management Console and the "show
connection/flow" CLI commands were missed in the conversion to the new
architecture.
 216980 Fixed an issue where the tooltip for the alarm icon on the header of the
SteelHead Management Console did not change along with the health of the
appliance. The redundant "System Health" text was also removed.
 216985 Fixed an issue where the output of the "show running full" CLI command
fails to apply when the Default Profile QoS class names differ from the stock
defaults.
 217019 Fixed an issue that caused live video stream splitting functionality to not
work correctly if the video URLs have query parameters.
 217309 Fixed an issue where entries in the simplified routing table became stale
when the IP address of a SteelHead peer on the same subnet changed. This fix
identifies stale entries and invalidates them.
 217580 We have addressed the scenario where large site configurations are being
made with shaping enabled. The improvements should avoid the page swapping and
the memory requirements.

49
 217650 CVE-2014-4877: Wget FTP symbolic link, arbitrary file system access.

Details:
A flaw was found in the way Wget handled symbolic links. A malicious FTP server
could allow Wget running in the mirror mode (using the '-m' command line option)
to write an arbitrary file to a location writable to by the user running Wget possibly
leading to code execution.

Fix:
The Wget package has been upgraded to address CVE-2014-4877.

Recommendation:
Upgrade to patched version if applicable.
 217689 Fixed an issue with the output of the "show running full" CLI command
when the QoS configuration items contain space in their names. The output is now
properly escaped for input.
 217700 Made the screen scrollable to allow access to all profiles in the Sites and
Networks page.
 217835 Fixed an issue where the kernel throws a warning message when a
connection is not in an established state and it receives a packet with SNACK options
set. This message is harmless as the received packet is handled safely. This fix
suppresses this innocuous message.
 218734 In Internet Explorer v8 (IE8), when editing an application that has metadata
fields (such as those for HTTP), a field no longer disappears after opening and closing
the drop-down list. Additional checks are made for IE8 to prevent the problem.
 218794 Auto refresh logic was implemented so that CLI changes are reflected on the
Path Selection page of the Management Console without refreshing the page.
 218799 The SteelHead now parses authenticated EPM connections and optimizes
related MAPI connections. Note: When Outlook is using authenticated EPM
connections to the SteelHead you cannot use the MAPI port remapping feature.
 218996 Fixed an issue where receiving jumbo packets on the SteelHead in a
connection forwarding or WCCP deployment can lead to kernel traces in the logs.
The SteelHead now properly handles jumbo frames received in connection
forwarding or WCCP setups. This no longer causes kernel traces in the logs.
 219085 Fixed an issue that was causing fragment reassembly to fail leading to
packet drops. Reassembly failures are recorded with the following error message in
system log: "kernel:[intercept.ERR] ip_defrag failed with -12".
 219137 Fixed an issue with database connection management that can lead to a
crash of the collectord process when the system is under high load.

50
 219485 Fixed an issue where a user without QoS read permissions, instead of being
taken to the My Accounts page, sees an error in the SteelHead Management
Console when attempting to view the Inbound or Outbound QoS reports.
 215931 Tcpdump: Multiple denial of service attacks caused by malformed PPP,
AODV & OLSR packets.

Details:
CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6
through 4.6.2, when in verbose mode allows remote attackers to cause a denial of
service (crash) via a crafted length value in an OLSR frame.
CVE-2014-8769: Tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain
sensitive information from memory or cause a denial of service (packet loss or
segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet
which triggers an out-of-bounds memory access.
CVE-2014-9140: Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump
4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a
crafted PPP packet.

Fix:
The Tcpdump library has been updated to fix CVE-2014-8767, CVE-2014-8769, and
CVE-2014-9140. Note that RiOS is not impacted by CVE-2014-8768, a related issue
which affects GeoNet frames.

Recommendation:
Upgrade to patched version if applicable.
 219670 Fixed an issue with a specific QoS workflow, when adding the same rule
twice, the system no longer displays "ValueError" errors when subsequent, valid
actions are attempted.
 219678 The reset button removes the red error popup bubble.
 219870 The failure handling mechanism for GeoDNS for SteelHead SaaS Office 365
optimization has been enhanced so that unreachable IP addresses are temporarily
blacklisted instead of being permanently purged.
 221108 The CLI command "configuration write to" triggers a restart of the
SteelHead internal service. In some cases, that are timing specific, the restart
request is intercepted and discarded by the SteelFlow Web transaction analysis
(WTA) feature. Because the internal service never restarts, further attempts to write
the configuration file to memory fail. This issue can occur even if SteelFlow WTA is
not enabled. This fix prevents restarts by preventing SteelFlow WTA from
intercepting this request.

51
 221252 Fixed an issue where the RiOS optimization service might crash when the
SMB2 servers send asynchronous responses to synchronous read-ahead requests
from the client-side SteelHead. This is more likely to happen when the server is
under high load.
 221435 After the fix, starting the secure transport controller succeeds even if the
management system is unresponsive. Thus, secure transport clients are able to
connect to the secure transport controller and no controller connectivity alarms are
triggered on the SteelHead.
 221489 Fixed an issue where the MAC header size is not accounted for during
inbound QoS shaping, leading to higher than expected inbound throughput.
 221492 CVE-2014-8500 BIND library: Delegation handling denial of service attack.

Details:
A denial of service flaw was found in the way BIND followed DNS delegations. A
remote attacker could use a specially crafted zone containing a large number of
referrals which, when looked up and processed would cause those named to use
excessive amounts of memory or crash.

Fix:
The BIND library has been patched for CVE-2014-8500.

Recommendation:
Upgrade to patched version if applicable.
 221576 The optimization service no longer crashes if a network error results in the
closure of an optimized MAPI connection.
 221793 The SteelHead uses the same authentication information for the HTTPS
connections to the SCC and the secure transport controller. Thus, when the HTTPS
connection between the SteelHead and the SCC is renewed, any failed HTTPS
connection between the SteelHead and the secure transport controller is now
renewed with the updated authentication information. As a result, the SteelHead
now attempts to connect to the secure transport controller when the connection to
the SCC is established.
 222156 When Citrix optimization is enabled on the SteelHead, it no longer leaks
memory for each Citrix connection using secure ICA and RC5 encryption. The
memory leak occurred once during the Citrix connection while parsing the ICA
packet with Diffie-Hellman parameters sent by the Citrix server.

52
 222333 Cross-Frame Scripting (XFS) vulnerabilities in path selection and QoS pages.

Details:
Some of the new path selection and QoS pages were vulnerable to Cross-Frame
Scripting (XFS) vulnerabilities by logged-in users.

Fix:
Sanitized user input on path selection and QoS pages, preventing scripting tags from
being rendered.

Recommendation:
Upgrade to patched version if applicable.
 222718 NTP: Network Time Protocol cumulative security update RHSA-2014:2024-1

Details:
This security update addresses the following issues:
CVE-2014-9293: It was found that the ntpd protocol automatically generated weak
keys for internal use if no ntpdc request authentication key was specified in the
ntp.conf configuration file. A remote attacker, able to match the configured IP
restrictions, could guess the generated key and possibly use it to send an ntpdc
query or configuration requests.
CVE-2014-9294: It was found that the ntp-keygen program used a weak method for
generating MD5 keys. This could possibly allow an attacker to guess generated MD5
keys that could then be used to spoof an NTP client or server. CVE-2014-9295:
Multiple buffer overflow flaws were discovered in the ntpd crypto_recv(),
ctl_putdata(), and configure() functions. A remote attacker could use either of these
flaws to send a specially crafted request packet that could crash ntpd, or potentially,
execute arbitrary code with the privileges of the NTP user.
CVE-2014-9296: A missing return statement in the receive() function could
potentially allow a remote attacker to bypass the NTP authentication mechanism.

Fix:
RiOS, in its default setting, is not impacted by any of the above issues. However, the
NTP module has been upgraded to a version that addresses these issues.

Recommendation:
Upgrade to a v9.1 of RiOS that has the updated NTP module.

53
 222800 CVE-2014-3583: Apache HTTP Server v2.4.10 FastCGI Denial of service. The
the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial of
service via long response headers.

Details:
The handle_headers function in mod_proxy_fcgi.c and the mod_proxy_fcgi module
in the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial
of service (buffer over-read and daemon crash) via long response headers.

Fix:
Apache v2.4.10 in RiOS has been patched for CVE-2014-3583.

Recommendation:
Upgrade to patched version if applicable.
 222888 A new winbind integrity task for processes count has been added to check
the number of running processes against a limit. This task runs once a day and
restarts the winbind process automatically if the threshold is exceeded.
The existing memory check of the winbind integrity task has also been enhanced to
check the total memory consumption (sum of the memory usage of all winbind
processes) against a limit.
 223129 Fixed an issue where a kernel crash could occur on systems with a 10 gigabit
interface card, when the system in the process of shutting down. The adapter is now
declared down immediately entering the shutdown process so that all other threads
can bypass the down adapter.
 223187 Unzip utility: Multiple buffer overflows and out-of-bounds vulnerabilities.

Details:
Multiple buffer overflows and out-of-bounds vulnerabilities were reported in the
'Unzip' utility.
CVE-2014-8139: Heap overflow condition in the CRC32 verification of Unzip which
might result in arbitrary code execution.
CVE-2014-8140: Out-of-bounds write in Unzip's test_compr_eb() function due to
bad uncompressed size value.
CVE-2014-8141: Out-of-bounds read in Unzip's getZip64Data() function due to lack
of error detection and reporting.

Fix:
'Unzip' utility has been updated to patch the following vulnerabilities: CVE-2014-
8139, CVE-2014-8140 & CVE-2014-8141.

Recommendation:
Upgrade to patched version if applicable.

54
 223242 Fixed an issue where the help pages on the SteelHead dashboard were
returning a 401 unauthorized error.
 223254 Fixed an issue where a SteelHead CX255L/M/H running RiOS v8.6.2 raised a
fan speed alarm, when there is no fan or fan speed failure. This problem impacts
the CX255 running RiOS v8.6.2 only. No other products are impacted when running
RiOS v8.6.2. The CX255 is not impacted if it is running a different RiOS version.
 223474 Outlook uses regular HTTP requests (for example, for Exchange Web
Services) on an optimized HTTP(S) connection. If the SteelHead has enabled Outlook
Anywhere optimization for these connections, the SteelHead failed to start Outlook
Anywhere optimization if the HTTP connection did not start with Remote Procedure
Call (RPC) over HTTP requests. The fix in RiOS v9.1 allows the optimization service to
start Outlook Anywhere MAPI optimization on HTTP connections at any time.
 223624 RiOS now correctly handles prefetch requests larger than 1 MB. In RIOS
8.5.3 or later, HTTP connections would go into a bypass state after seeing a
response larger than 1 MB. In newer versions the SteelHead only stops buffering
response data, and this results in prefetches of the larger object missing content
when requested by the client.
 223760 CVE-2014-6272 libevent: Multiple integer overflow flaws were found in the
evbuffer API of Libevent.

Details:
Multiple integer overflow flaws were found in the evbuffer API of libevent. An
attacker, able to make an application pass on an excessively long input to the
libevent via evbuffer API, could use this flaw to make the application enter an
infinite loop crash, and, possibly, execute arbitrary code.

Fix:
The Libevent library has been removed from RiOS. Prior to this fix, RiOS was not
impacted by this vulnerability since the Libevent library was not being used.

Recommendation:
Upgrade to a RiOS version that does not have the libevent library.

 223798 This defect in the QoS rule matching logic is resolved and now correctly
matches the expected QoS rule.

55
 223897 CVE-2014-8150 Libcurl: HTTP response splitting attacks via a CRLF injection
vulnerability.

Details:
A CRLF injection vulnerability in libcurl v6.0-7.x and before 7.40.0, when using an
HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via CRLF sequences in a URL.

Fix:
The Curl library has been patched for CVE-2014-8150.

Recommendation:
Upgrade to patched version if applicable.
 223930 An alarm flash error was triggered on the SteelHead after 3 days. For certain
models of SteelHead (SHxx50, CX1555, EX1160, EX1260), RiOS uses a system to have
a redundant copy of the contents of the flash device. This fix addresses an issue
wherein errors while writing to the flash device would trigger faulty error handling
in the data synchronization code.
 224044 Fixed an issue where a rare error in reading hardware sensors was not
handled properly and might cause a sysdump not to complete on the SteelHead
models 3070, 5070, and 7070.
 224081 Fixed the handling of port label updates during SteelCentral Controller (SCC)
pushes of hybrid network policies to prevent "DP_SETUP_ERROR" messages from
occurring when the SCC pushes QoS policies to the SteelHead.
 224128 Fixed an issue where HTTP cache statistics displayed in the Management
Console and CLI are incorrect. The root cause was inaccurate counts for total HTTP
requests. This resulted in a bad denominator in the rate computation that has been
corrected with this fix.
 224439 The message is for information only and does not impact system operation.
Request to get a system event log (SEL) entry during a system shutdown is handled
by dropping the command.
 224505 Fixed a problem with Current Connections in both Management Console
and CLI, neither of which showed per-connection QoS information in v9.0.0. This
release changed the internal architecture of the QoS feature. The Current
Connections report in the Management Console and the "show connection/flow"
CLI commands were missed in the conversion to the new architecture.
 224536 Fixed the CLI output for "show application" CLI command when the DSCP
value is set to 0.
 224580 Fixed a crash by ensuring that the initial connection validation routine for
signed SMB connections in delegation mode does not make repeated IO checks for
availability of the secure vault.

56
 224738 OpenSSL cumulative security update for advisory - secadv_20150108.

Details:
This update addresses the following issues:
CVE-2014-3571: DTLS segmentation fault in the dtls1_get_record.
CVE-2015-0206: DTLS memory leak in thedtls1_buffer_record.
CVE-2014-3569: no-ssl3 configuration sets method to NULL.
CVE-2014-3572: ECDHE silently downgrades to ECDH [Client].
CVE-2015-0204: RSA silently downgrades to EXPORT_RSA [Client].
CVE-2015-0205: DH client certificates accepted without verification [Server].
CVE-2014-8275: Certificate fingerprints can be modified.
CVE-2014-3570: Bignum squaring might produce incorrect results.
For more information, see: https://www.openssl.org/news/secadv_20150108.txt

Fix:
Of the issues listed above, RiOS management is not impacted by CVE-2014-3571,
CVE-2015-0206, CVE-2014-3572 and CVE-2015-0204. However, the OpenSSL library
has been updated to a version that patches all of the above issues.

Recommendation:
Upgrade to patched version if applicable.
 224739 Fixed an issue when inbound QoS is enabled where QoS migration calculates
the upstream bandwidth for all remote sites by dividing the local downstream
bandwidth by the number of remote sites. This might result in unduly constrained
bandwidth from each remote site.
 224747 Fixed a bug where a certificate, created using a CSR from the SteelHead,
could not be used to "replace" the current certificate through the Secure Peering
(SSL) page.
 224982 Fixed an issue where long HTTP headers were not being handled correctly.
This error corresponds to the 'HTTP_ERR_LINE_TOO_LARGE' message in the log.
 225109 Fixed an issue where the QoS scheduler is not automatically updated when
the interface MTU changes. Added logic to automatically update the SFQ quantum
value when an interface MTU changes.
 225250 Fixed a CLI freeze when showing connections on a SteelHead with 130,000
or more connections. The "show connections" command now displays a maximum
of 50,000 connections. Filters can be used to ensure that desired connections are
shown.
 225257 Added validation to prevent configuring a peer IP address that is already
configured as a /32 subnet in an existing site.

57
 225301 Fixed an issue where the SteelHead Management Console would not be
accessible after upgrading to a RiOS v8.6.2 and v9.0.0, if an optical 1 Gig add-on NIC
was installed. This problem occurs only if the configuration is set to Auto speed and
duplex.
 225347 Fixed a memory leak in the SSL certificate expiring alarm function.
 225488 CVE-2015-0235 - The glibc gethostbyname buffer overflow (GHOST
vulnerability). A heap-based buffer overflow was found in the glibc
__nss_hostname_digits_dots()function that is used by the gethostbyname() and
gethostbyname2() glibc function calls.

Details:
A heap-based buffer overflow was found in the glibc__nss_hostname_digits_dots()
function that is used by the gethostbyname() and gethostbyname2() glibc function
calls. A remote attacker, able to make an application call to either of these
functions, could use this flaw to execute arbitrary code with the permissions of the
user running the application. (that is, a GHOST vulnerability)

Fix:
The glibc library has been updated to patch the GHOST vulnerability.

Recommendation:
Upgrade to patched version if applicable. See knowledge base article S25833 for
more details.
 225828 CVE-2014-9130: Libyaml: Denial of service when processing wrapped strings.

Details:
An assertion failure was found in the way the libyaml library parsed wrapped strings.
An attacker able to load specially crafted YAML input into an application using
libyaml could cause the application to crash.

Fix:
Libyaml module has been patched for CVE-2014-9130

Recommendation:
Upgrade to patched version if applicable.
 225712 Fixed incorrect optimized flows and WAN capacity configuration for CX570,
CX770, and CX3070 models.
 226206 Fixed the issue so that ‘SteelCentral Controller (SCC) Communication
Service’ comes back up once the network error on the SteelHead recovers,
reestablishing the communication channel between the SteelHead and the SCC. The
following error appeared in the logs
[yarder.services.ERROR] Failed to load service module lumberjack-svc-ocd

58
 227550 Fixed an issue where GeoDNS for SteelHead SaaS would have failed to find
the optimum SteelHead against certain destinations of Office 365 Exchange server
regions, potentially causing degradation in performance.
 227734 Fixed an issue that ensures that the RiOS optimization service does not crash
while processing lease notification if the lease has already been deleted from the
lease store while notification is being processed.
 227878 The time zone data has been upgraded to 2015a to properly handle the leap
second at 2015/06/30 23:59:60 UTC.
 228019 Fixed an issue where the QoS profile options would stay hidden when
adding or editing a nonlocal site after editing the local site. The local site does not
have any QoS profiles, but every other site does.
 228262 Fixed an issue where setting the maximum domain child processes for the
winbind daemon, with "domain settings max-children" set to less than the total
number of trusted domains, results in high CPU utilization in the winbindd process.
The algorithm to release idle processes in the winbind daemon had an issue that
could, in some situations, lead to looping indefinitely over the list of child processes,
causing 100% CPU utilization. The fix consists of rewriting the stop condition of the
iteration to break the loop when all processes have been looked at.
 228572 Enhanced security for telemetry connections

Details:
Enhanced security for telemetry connections

Fix:
Improved the certificate validation process for the HTTPS telemetry connections
made between an appliance and the remote server.

Recommendation:
Upgrade to patched version if applicable.

59
 229673 Security update for the glibc functions getaddrinfo() and gethostbyname_r().

Details:
CVE-2013-7423: It was discovered that, under certain circumstances, the glibc
getaddrinfo() function would send DNS queries to random file descriptors. An
attacker could potentially use this flaw to send DNS queries to unintended
recipients, resulting in information disclosure or data loss due to the application
encountering corrupted data.
CVE-2015-1781: A buffer overflow flaw was found in the way glibc's
gethostbyname_r() and other related functions computed the size of a buffer when
passed a misaligned buffer as input. An attacker able to make an application call any
of these functions with a misaligned buffer could use this flaw to crash the
application, or potentially, execute arbitrary code with the permissions of the user
running the application.

Fix:
The glibc library has been updated to patch CVE-2013-7423 and CVE-2015-1781.

Recommendation:
Upgrade to patched version if applicable.
 229846 CVE-2015-1349: BIND trust anchor management remote DoS.

Details:
A flaw was found in the way BIND handled trust anchor management. A remote
attacker could use this flaw to cause the BIND daemon (named) to crash under
certain conditions.

Fix:
The BIND library has been updated to patch CVE-2015-1349.

Recommendation:
Upgrade to patched version if applicable.
 230034 Fixed an issue where QoS and path selection classification is bypassed for
optimized connections after a configuration push from the SteelCentral Controller
(SCC) occurs, while the SteelHead is experiencing a high number of new connections
per second. This fix improves the handling of configuration updates while traffic is
running to avoid classification bypass for optimized connections.

60
 230154 OpenSSL cumulative update for security advisory secadv_20150319.

Details:
The OpenSSL security advisory https://www.openssl.org/news/secadv_20150319.txt
identifies several vulnerabilities of which the following impact RiOS: CVE-2015-
0204: RSA silently downgrades to EXPORT_RSA (Severity: High) CVE-2015-0286:
Segmentation fault in ASN1_TYPE_cmp (Severity: Moderate)

Fix:
OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20150319.

Recommendation:
Upgrade to patched version if applicable.
 230606 The Quality of Service feature does not support IPv6. This fix suppresses the
display of QoS information for IPv6 traffic.
 230912 RIOS was making a legal, but optimistic interpretation of HTTP cache
guidelines. Evaluation of the cache validator headers has been reverted to more
conservative guidelines to avoid the conflict.
 230982 Fixed an issue where a redundant power supply failure was not raising an
alarm.
 231397 Fixed an issue preventing the creation of applications using host labels for
which DNS resolution is still pending.
 231500 Fixed an issue when signing is negotiated on a CIFS/SMB session using the
MAC OS 10.9 or 10.10 as a client, the connection might be terminated during server
access. However, the client transparently reconnected without impacting the user.
Connection termination on a signed CIFS/SMB connection as a client has been fixed.
This issue was happening because of the incorrect calculation of the SMB signing
value.
 231508 Fixed an issue in NFS implementation of client-side SteelHead which was
slowing down large-sized (1MB) writes to server. The slowness was due to
SteelHead taking too long to prepare the packet to send over the WAN and then
starving to get next packet from all the way back from client as part of fix for bug
192781. The fix ensures storing a packet for future processing while actively
processing a packet so the starving does not happen.
 231669 Changed the Management Console Current Connections report to not
highlight 100% reduction with the same red border as 0% reduction. This
erroneously suggested that near-100% reduction was bad. The red highlight for 0%
is retained.
 231844 Fixed an issue causing periodic transient CPU usage spikes, leading to CPU
alarms on lower-end models.

61
 232047 Fixed an issue that caused the following WARNING messages, which are
harmless, to appear on the message log:
[rgpd.WARNING]: ‘Binding /rbt/support/config/sfp-branding/enable not consumed
during reverse mapping’
[rgpd.WARNING]: ‘Binding /sfp/config/branding/supported not consumed during
reverse mapping’
 232178 Fixed an issue where the QoS bottleneck bandwidth calculated to each
remote site might be incorrect.
 232476 Fixed and issue where high traffic load would lead to an incomplete QoS
daemon to shutdown, leading to a process core. The shutdown will now complete
gracefully without a process core.
 232526 Because MAC OSX clients with SMB2 optimization use alternate streams
problems occur while saving Excel files. This fix provides a hidden CLI command to
disable optimization for alternate streams. This is the default behavior.
 232561 The change fixes the handling of short invalid kerberos request packets on
HTTP connections.
 232630 Fixed an issue where path selection details would disappear from the
Current Connections page during a path failover. This issue was due to a new
variable (i.e., the least recently used path index) that was not accounted for in the
Management Console code.
 232692 Fixed potential vulnerabilities in the Linux kernel for 2015 leap second
adjustment.
 233913 This error message "[pm.ERR]: Output from yarder_core: svc-upgrader:
error: argument -y/--yaml_dir is required." is harmless and does not impact the
functionality of the system.
 234195 Fixed an issue preventing the QoS feature from being enabled after the
optimization service is disabled.
 234833 When upgrading from 8.6.0, 9.0.0 or 9.0.1 to 9.1.0, the QoS configuration is
now migrated successfully without error.
 235961 Fixed an issue where a role-based management user with read-only
permissions was allowed to click the "Save" and "Revert" buttons on the
Configuration page, even though the functionality did not work. These buttons are
now disabled for role-based management users with read-only permissions.
 236287 Fixed an issue where QoS statistics would not be collected when the
SteelHead has limited memory and is configured with a very large number of sites.
 236335 The Optimization Service was intermittently crashing while users were
accessing Sharepoint services through the SteelHead. Identified and fixed a problem
related to the parsing of HTTP WebDAV responses with a status code of 207 (Multi-
Status). Multi-Status responses lacking XML-namespace prefixes were causing the
optimization service to terminate improperly.

62
 236443 Fixed an issue so that CLI commands for QoS or path selection rules with
spaces in the "application" or "apptag" names no longer fail.
 236486 Fixed an issue that caused RiOS optimization service to halt unnecessarily
for a recoverable connection error. This issue occurs when an optimized connection
is aborted during connection set up. With this fix, the aborted connection is dropped
but the optimization service keeps running.
 236548 Fixed an issue where copying a QoS profiles did not set the default class
properly. If the default rule had been changed from its original value, the new
profile properly copies this change into the new profile. The new profile previously
copied the original default rule.
 236863 The RiOS optimization failure no longer occurs with an error message saying
"Content-Length exceeded, but in a non-expected HTTP state." The MAPI
optimization service was changed to drop the problematic connection instead of
crashing in the event that it encounters the unexpected condition that the content
length is exceeded but it is not in the expected HTTP state.
 236995 Fixed an issue where in a rare cases, the optimization service could crash
where an Outlook Anywhere (OA) connection would send a message to the other
virtually connected OA connection that had already been deleted.
A Virtual Connection (VC) object is used to handle Request and Responses from two
half duplex OA connections, and it has definite knowledge of the OA connection
existence. The message sent by one OA connection to another is now routed
through the VC, and the VC makes sure that the message is not forwarded to the
deleted OA connection.
 237070 Fixed a scrolling issue with "Edit Sites" option on the Sites page. Now the
option remains in the same place whereas previously it could scroll off the screen.
 237637 Fixed problem where role-based management users were unable to run
scheduled jobs, seeing log errors "Permission denied: mkdir(/var/opt/tms/sched/3,
755)".
 237820 Fixed an issue where the creation and deletion of many sites can lead to
failures when enabling QoS shaping. The following log message is seen when this
issue occurs: "Could not parse tc error: Error: argument "invalid class ID" is wrong:
1:10000:".
 237939 On a SteelHead with path selection enabled it slowly leaks memory in cases
where the customer has a Layer2 network with a high number of unreachable paths.
As a result, the SteelHead requires a restart every few days. This bug addresses the
memory leak issue.
 238607 Fixed an issue where cached authentication cookies could lead to data
leakage between O365 SharePoint users. Identified and corrected a problem where
authentication cookies were being cached.

63
 239117 Fixed and issue where the "show flows" and "show connections" CLI
commands would show pass through traffic before optimized traffic. Optimized
traffic is now displayed before pass-through traffic.

4) KNOWN ISSUES
 165137 The SteelHead peer-version string might be displayed incorrectly in the
Current Connections page. This issue occurs if the SteelHead being monitored is
connected to multiple SteelHead peers that have the same public IP address. No
known workaround.
 195507 A SteelHead is not reachable for Path Selection from remote peers if its
optimization service is disabled. No known workaround.
 198015 The SteelHead cannot be managed by the SteelCentral Controller for
SteelHead (versions 9.0.0 and above) when requisite management channels are not
established. SCC versions 9.0.0 and above require two channels to the appliance -
an SSH channel and an HTTPS channel. The status of these channels can be viewed
on the SteelHead terminal with the command: show scc
A sample output of this command is shown below:
amnesiac > show scc
Auto-registration: Enabled
HTTPS connection (to the CMC):
Status: Connected
Hostname: bravo-sh378
SSH connection (from the CMC):
Status: Connected
Hostname: bravo-sh378 (10.5.39.87)
When the host for the HTTPs and SSH connection are different or both the channels
do not have “Connected” status, the appliance cannot be fully managed by the SCC.
In order to connect a SteelHead to the SCC, you can use the command:
scc hostname <hostname> in configure mode to establish the connections.
If both connections show “Connected” to two different SCC's, please remove the
appliance from the Manage -> Appliances page on the SCC which is incorrect and
update the appliance username and password on the correct SCC.
If the SCC hostname was never configured on the appliance, the appliance will try to
connect to the host riverbedcmc. Please make sure to update your DNS to point the
hostname riverbedcmc to the correct SCC which is managing the appliance.
 204204 After a report has been viewed for a long time without being refreshed, an
error dialog "Unable to parse response" can appear. On a heavily loaded appliance,
this could happen in 1-2 hours, but may not at all. Refresh the report to clear the
dialog.
 217457 On a heavily loaded SteelHead, clicking the "after waiting, click here" link
does not work. Log in appears successful, but there are errors in the Management
Console after log in. Log out and log in to clear the issue.

64
 218352 When class names are manually selected for display in a Web QoS report in
a version lower than v9.0 and the SteelHead is upgraded to v9.0 or later, the report
data might appear to be missing because the class names can change during
migration. Reselect the desired classes using their post-migration names.
 225148 Importing a configuration will fail if the user's password contains an at sign
(@). During configuration import, this is erroneously read as a user@host pair and
the import will not succeed. Avoid using the at-sign (@) in passwords.
 227509 Under some circumstances, a customer's explicitly defined configurations for
admission control, datastore, MAPI prepopulation, SSL bypass table, HTTP stream splitting
inflight cache will be overwritten with default values upon upgrade to RiOS 9.1.x.
If changes have been made to admission control, datastore, MAPI prepopulation, SSL
bypass table configurations or HTTP stream splitting inflight cache, note their values prior to
an upgrade to RiOS 9.1.x and reconfigure them if not correct after upgrade.
 229980 When the Web proxy feature is enabled, eligible traffic is handled using
Web Proxy, ignoring transparency options on the applicable in-path rule. If
transparency options are set on the in-path rule, they are ignored. No workaround is
available. You should be aware that transparency options do not apply to traffic
optimized by Web Proxy.
 232641 In some situations, as part of system reboot, the application stats service
fails to properly initialize.
Error level log messages reporting AppStats service start-up failure are logged in this
situation. Workaround: system restart.
 233903 On Virtual SteelHead xx50 models, the configuration partition may become
full, resulting in errors similar to [mgmtd.ERR]: lf_write_bytes_tbuf(),
file_utils.c:1077, build (null): Error code 14014 (generic IO error) returned. If errors
occur in the logs after attempting to save the configuration, manually delete the
saved configuration backup files that are no longer required from the Management
Console or CLI.
 235131 EtherChannel does not support bundling of management in-path interfaces
along with in-path interfaces. Since there is no bundling of management in-paths,
link failover between the management interfaces is not supported when
EtherChannel is enabled. No known workaround.
 236023 When 'Auto-Negotiation of MultiStream ICA' is enabled on a SteelHead, a
Citrix XA/XD 7.6 server is used and a priority 0/2/3 connection is broken, the 'Auto
Client Reconnect' on the Citrix Receiver will not automatically reconnect the Citrix
session. The user can manually restart and resume the Citrix session if the session
was saved on the Citrix server.
 237024 Disabling REST API access on SH will cause hybrid networking, QoS, Secure
Transport and SEPIA policy push from SCC to fail. Enable 'REST API' access on SH.
This configuration is on the Configure › Security › REST API Access page.

65
 237223 Intermittently Citrix multi-stream applications are not identified and tracked
by the application stats service. No known workaround.
 238175 For connections optimized by Web Proxy, the table on the Current
Connections report will always show 'W' for Connection Type even if the connection
is opening or closing. Open the connection detail, which shows the correct icon.
 238497 Menu commands are hidden, not disabled, for "monitor" users. This is a
change from v8.6, where the commands were visible but disabled. In a future
release, the original behavior will be restored. No known workaround.
 238599 When the SteelHead is an Interceptor cluster, but no cluster channels are
configured, the Current Connections report may incorrectly show that Path
Selection is occurring. The report will show correct information once channels are
configured but will continue to show erroneous Path Selection information as long
as they are not.
 238799 An RBM user with no read or read-write roles assigned is denied access to
the WebUI with the following error "Unable to sign in: Failed obtaining authorization
data for user." Ensure that RBM users have at least one read or read-write role
assigned to their account.
 238959 The Current Connections report in the Web UI may not always report path
usage in the correct order, as the timestamp is not always indicative of the most
recent path usage. When knowledge of path order is critical, use the corresponding
CLI command, which will always show correct information.
 239385 The MAPI transparent prepopulation max connection value will be reset to
default upon upgrade. After upgrading, reconfigure to the desired value.
 240317 Application statistics is missing from appliance's configuration restore
procedure. This happens when downgrading from 9.1.0 to an earlier release, and
then upgrading to 9.1.0. Upon configuration restore completion explicitly enable
application statistics if needed.
 240580 Errors messages like "[pm.ERR]: Output from yarder_rbt..." are seen in the
system log after changing the logging configuration minimum severity level.
 241888 When the version of SMB3 is not supported by RiOS SMB3 connections may
be reported as SMB2 on the SteelHead UI.
 244856 When replacing only the certificate (e.g., created using a CSR from the
Steelhead) via the Web Settings page, no confirmation is provided in the UI and
messages like "[web.ERR]: web: Traceback" are seen in the syslog. These messages
can be ignored. There is currently no UI workaround. Performing this operation via
the CLI will not produce the error messages.
 245876 After abandoning an Add or Edit of a Site after receiving an error message,
the error will remain when the Add or Edit popup is reopened. The spurious error will
disappear upon the next successful Add or Edit of a Site or upon page refresh.

66
5) UPGRADING THE RIOS SOFTWARE VERSION
UPGRADING ALERT
 If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances,
you must upgrade SCC to a specific version before you upgrade your appliances to
this software version. Failure to do so will prevent communication between SCC and
your appliances. See Knowledge Base Article S27759 for complete details.
 Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to
9.0.0 and later, existing path selection rules are not automatically migrated. Please
refer to Knowledge Base article S25533 for details.
 QoS: RiOS version 9.0.0 and later uses a completely new QoS management and
syntax compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base
article S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading
the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual
SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud
Services User's Guide.

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC)


COMPATIBILITY
If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances, you must
upgrade SCC to a specific version before you upgrade your appliances to this software
version. Failure to do so will prevent communication between SCC and your appliances. See
Knowledge Base Article S27759 for complete details.

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX
Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES


Review the SteelHead CX Installation and Configuration Guide for information on hardware
and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead CX Installation
Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

67
8) CONTACTING RIVERBED SUPPORT
Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.
Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415-247-7381.
Online
You can also submit a support case online
Email
Send email to [email protected]. A member of the support team will reply as quickly as
possible.

©2017 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

68

You might also like