=============================================== = Changes between 9.1.1314.0 and 9.1.1328.0 = =============================================== Resigning of Mac Clients with new certificates Security enhancements: Issue 140742 - CVE-2016-9840 Issue 141763 - CVE-2017-1203 Issue 141767 - CVE-2017-1219 APARs addressed: Issue 146876 - APAR IV97175 - BIGFIX CLIENT ON MAC CANNOT BE INSTALLED BECAUSE THE SIGNING CERTIFICATE EXPIRED =============================================== = Changes between 9.1.1301.0 and 9.1.1314.0 = =============================================== IBM BigFix Platform 9.1 Patch 10 is a patch release with Security enhancements and APAR fixes. Security enhancements: Issue 138529 - CVE-2016-0729 Issue 138527 - CVE-2016-8617 Issue 138524 - CVE-2016-8624 Issue 138522 - CVE-2016-8621 Issue 139186 - CVE-2017-1227 APARs addressed: Issue 139314 - APAR IV92549 - MISLEADING ERROR MESSAGE WHEN THE INSPECTOR EVALUATING THE RELEVANCE IS INTERRUPTED Issue 137365 - APAR IV93015 - BIGFIX DOMAIN ICONS IN WEBREPORTS HOME PAGE ARE NOT DISPLAYED USING INTERNET EXPLORER Issue 139293 - APAR IV93392 - RELAY DIAGNOSTICS PAGE NOT WORKING PROPERLY WITH SOME BROWSERS =============================================== = Changes between 9.1.1275.0 and 9.1.1301.0 = =============================================== APARs addressed: Issue 72968 - APAR IV76841 - SOME RELAYS MAY BECOME UNRESPONSIVE AFTER DISABLING THE MLE REPORT ENCRYPTION Issue 131120 - APAR IV76583 - ERROR ON CONSOLE CLICKING A FIXLET OR TASK. DIAGNOSTIC MESSAGE: NOSUCHSITE Issue 131522 - APAR IV80816 - UNCLEAR ERROR MESSAGE IN AIR GAP TOOL Other Bugs fixed: Issue 131167 - add version and exit to admin tool cli tracing ... Issue 131168 - add serviceability tracing for some Requirement failure errors ... =============================================== = Changes between 9.1.1257.0 and 9.1.1275.0 = =============================================== Update to OpenSSL 1.0.1t to address vulnerabilities in previous OpenSSL versions APARs addressed: Issue 72245 - APAR IV85374 - CLIENT RECURSIVE DELETING HAS TO BE ABLE TO HANDLE A SYMLINK Other Bugs fixed: Issue 71851 - High CPU consumption of BESClient on Windows Issue 72248 - Cancelling server installer "in need of reboot" causes installer to crash ============================================= = Changes between 9.1.1233.0 and 9.1.1257.0 = ============================================= 9.1.1257.0 (9.1 Patch 7) is a patch release to close security vulnerabilities and fix a limited number of bugs. If you are running a 9.1 deployment, you need to upgrade in order to close the vulnerabilities. CHANGES: Security * Updated version of OpenSSL used by Platform to 1.0.1p * Updated version of jQuery to 1.8.2 * Eliminated use of RC4 cipher to eliminate "Bar Mitzvah" vulnerability. * Changed use of frames to eliminate clickjacking vulnerability * REST API now sets HttpOnly on its cookies * Fixed issue - under specific condition in Web Reports user credential may be logged (APAR: IV74066) Server * After upgrade, local operators can only log in with their old password (APAR: IV69879, Issue #65930) * New property could reuse a deleted property id and thus display incorrect information (APAR: IV67143, Issue #67293) Web Reports * WebReports crashes if report generation exceeds memory capacity (APAR: IV68979, Issue #65974) * After upgrade, Web Reports is unresponsive (APAR: IV72497, Issue #67205) Client * Message for action conclusion is randomly displayed (APAR: IV72288, Issue: #66861) ============================================= = Changes between 9.1.1229.0 and 9.1.1233.0 = ============================================= http://www-01.ibm.com/support/docview.wss?uid=swg21696138 * Incorrect "Group membership" and "Relevance expression is false" site subscription relevance generation (APAR IV68955) * Baseline creation database error affecting the Linux server (APAR IV68735) * Web Reports LDAP role assignment issue after upgrade (APAR IV69132) * Console issue when using both four-eyes authentication and requiring reauthentication for every action (APAR IV64875) ============================================= = Changes between 9.1.1117.0 and 9.1.1229.0 = ============================================= 9.1.1229 (9.1 patch 5) is a patch release to close security vulnerabilities and to fix a few general bugs. If you are running a 9.1 deployment, you need to upgrade in order to close the vulnerabilities and get the benefits of the bug fixes. CHANGES: Security * Updated version of OpenSSL used by Platform to 1.0.1j. * Eliminated use of SSL 3.0 protocol in order to close "POODLE" vulnerability. * Prevented use of XSS attacks on Relay. Client * Fixed issue with invalid encoding setting killing Client (issue #62934). * Fixed issue with calculating distance to relay (issue #59135 APAR: IV55875). * Fixed issue with CPU usage spiking on AIX (issue #59758 APAR: IV59238). * Fixed issue with no preamble in Proxy Agent log (issue #63270). * Fixed issue with Memory leak in some x64 environments (issue #63655 APAR: IV61901). * Fixed issue with detection of Proxy Agent in upgrade fixlet not working on older releases (issue #63884). * Fixed issue with with upgrade scripts using /var/tmp (issue #63887 APAR: IV62942). * Fixed issue with presenting wrong information from cache and deployment logs (issue #61358). * Fixed issue with Client service being disabled on Solaris (issue #63001 APAR: IV66725). * Fixed issue with fixlets not becoming relevant on HP (issue #63753 APAR: IV65253). * Fixed issue with Client crashing on Pentium 3 machines (issue #65260 APAR: IV65194). * Fixed issue with Last start time of application usage summary gives inconsistent results (issue #65360 APAR: IV66854). * Fixed issue with duplicate ClientUI tmp dir after Client upgrade from 9.0 to 9.1 (issue #61813). * Fixed issue with Client crashing when using the "wifi" inspector (issue #65466 APAR: IV66723). * Added the ability to configure the RESTAPI relevance timeout when querying Web Reports and to set the default to 10 minutes. (issue #65562). Relay * Fixed issue with the way ResistFailureInterval is used (issue #62898 APAR: IV62367). Client Deploy Tool * Fixed issue with Client Deployment Tool presenting wrong information from cache and deployment log (issue #61358). * Fixed issue with Client Deploy tool not processing IP address ranges correctly (issue #63964). Installer * Fixed issue with Linux Silent Installation crashing rather than indicating parameter needed (issue #63501). RESTAPI * Fixed issue with deleting Custom Sites causing InvalidSubscription Exception (issue #63633). * Improved memory consumption for some calls (issue #64993). * Fixed issue with analysis activation and deactivation failing for NMOs (issue #63162). * Fixed issue with child components not stopped when baseline is stopped (issue #65118 APAR: IV64826). * Fixed issue with Analysis Activation Request returning activation ID (issue #63196). * Fixed issue with Analysis activation and deactivation failing for NMOs (issue #64990). * Fixed issue with encoding of special characters in responses (issue #65169 APAR: IV55011). * Fixed issue with /api/help/help and /api/help/login not working (issue #65297). * Fixed issue with Custom site creation with property-based subscription not working (issue #65410 APAR: IV66873). * Fixed issue with Software Distribution Wizard failing and reporting an HTTP 500 error in method /data/import (issue #47780). * Fixed issue with API calls failing because of stale connections to DB (issue #59017). Console * Fixed issue with wrong Offer being launched upon pressing "Click here to accept this offer" (issue #65168 APAR: IV61693). * Fixed issue with right-click remove option on BES Support deleting the BES Support site with no warnings (issue #65165 APAR: IV65937). * Fixed issue with intermittent issue with “ Access Denied" pop-up when submitting Action for target-list (issue #62382 APAR: IV59147). * Fixed issue with NMOs unable to take actions on some administered computers (issue #63788). Server * Fixed issue with custom site creator username being truncated (issue #63639). * Fixed issue with all MIME fields being lost when creating Custom Copy of SCM fixlet, (issue #62540 APAR: IV61257). * Fixed issue with rows in LONGQUESTIONRESULTS do not exist in QUESTIONRESULTS after upgrade (issue #63304 APAR: IV63224). * Fixed issue with FillDB backing up and SQLServer consuming 100% CPU after upgrade (issue #63931 APAR: IV63044). * Fixed issue with the server hanging when deleting a site or operator, (issue #65024). * Fixed issue with LDAP search failing on a name containing ' (like O'Connor) (issue #64873 APAR: IV65509). * Fixed issue with COLLATE in Japanese Language and padding of strings (issue #64759 APAR: IV64986). * Fixed issue with performance of getting stale fixlet results for debugging (issue #63640). * Fixed issue with authentication on Proxy failing when using Domain user (issue #65050 APAR: IV59779). * Fixed issue with Clients failing to subscribe to all external sites with custom site subscription relevance (issue #65261). * Fixed issue with IEM on RHEL not working with DB2 10.5 FP4 (issue #64808 APAR: IV64899). * Fixed issue with Getting duplicate ActionSite object after using /resignInvalidSignatures (issue #62652 APAR: IV66399). * Fixed issue with Getting SignedDataVerificationFailure in LDAP environments upgraded from 9.0 with deleted duplicate users (issue #65389 APAR: IV58917). * Fixed issue with Clients that are unintentionally subscribed to "Patch Support" reporting errors on executing actions (issue #65124 APAR: IV66106). * BES Root Server service crashed after upgraded to 9.1.1117 due to proxy settings (issue #64435 APAR: IV63867) Web Reports * Fixed issue with with crash while working with columns (issue #63418). * Fixed issue with with LDAP User searches being limited to 1024 results (issue #63654). * Fixed issue with getting "HTTP 500 Internal Server Error " when filtering based on content type (issue #62359 APAR: IV59040). * Fixed issue with Web Reports taking 4 hrs to start up in large environments (issue #64880 APAR: IV65511). * Fixed issue with Web Reports reporting problem with updating data because of ImproperFormatVariableName (issue #64465 APAR: IV65220). * Fixed issue with editing an existing activity changes the creator (issue #65098 APAR: IV65733). * Fixed issue with scheduled activities with deleted report source attempting to run an unrelated report (issue #65099 APAR: IV65735). * Improved performance of handling LDAP queries and Computer Group stores (issue #64802 APAR: IV65178). * Improved performance of LDAP search by eliminating unneeded reloading (issue #64872 APAR: IV65509). * Fixed issue with custom site computer properties reported in Console but not in Web Reports (issue #65083 APAR: IV55625). * Fixed issue with Web Report's StoreStats memory values on Linux. (issue #64874 APAR: IV65508). * Fixed issue with Export to PDF not working on Windows if Flash content is on the page (issue #64322 APAR: IV64614). * Fixed issue with sync error between Web Reports and Flash library (issue #62483 APAR: IV63664). * Improved the serviceability of the Web Reports login (issue #65227). * Fixed issue with some LDAP users provisioned in Web Reports not being able to login (issue #59142 APAR: IV56867). * Fixed issue with Web Report not generating when archived and emailed (issue #64495). ========================================= = Changes between 9.1.1088 and 9.1.1117 = ========================================= 9.1.1117 (9.1 patch 3) is an emergency patch release to close the OpenSSL CCS vulnerability (CVE-2014-0224). IBM Endpoint Manager 9.1 (9.1.1065, 9.1.1082, and 9.1.1088) are the only affected versions. Previous versions are not affected, and version 9.1.1117 fixes the vulnerability. Note that neither the site admin key nor the server signing private key are exposed by this vulnerability, so it is not necessary to rotate keys after upgrade. After upgrade, change all Console user passwords especially master operator passwords. See the IBM security bulletin at: http://www-01.ibm.com/support/docview.wss?uid=swg21677842 CHANGES: Security * Fixed security vulnerability CVE-2014-0224 Server * Fixed an issue with proxy authentication via Negotiate password authentication (issue: 63281) * Fixed an issue with "invalidSQLTimeStampError" on upgrade (issue: 61532, APAR: IV54707) * Fixed an issue replicating on a non-default port (issue: 62583, APAR: IV59643) Relay * Fixed an issue with hanging relays via blocking sockets (issue: 61158, APAR: IV60928) Client * Fixed an issue where clients were using legacy certificates on private key reset (issue: 62660, APAR: IV61727) Client Inspectors * Fixed an issue with the "user" attribute of the "process" inspector (issue: 62223, APAR: IV56574) * Fixed an issue counting number of processors (issue: 61875, APAR: IV55483) * Added "little endian" and "big endian" inspectors (issue: 62992) Console * Fixed an issue validating a custom SSL certificate (issue: 45474) Web Reports * Fixed an issue generating charts for computer group properties (issue: 63136, APAR: IV60926) * Fixed an issue displaying the correct result for SourceReleaseDate (issue: 61712, APAR: IV55913) * Fixed an issue displaying the change passwords page (issue: 63008, APAR: IV60486) RESTAPI * Fixed an issue with slow action creation (issue: 61409, APAR: IV54825) * Fixed an issue with showing records for deleted computers (issue: 62287) * Fixed an issue with storing boolean values (issue: 61354) * Added more information (issue date, computer name, start time, end time) to action status (issue: 62286) ========================================= = Changes between 9.1.1082 and 9.1.1088 = ========================================= 9.1.1088 (9.1 patch 2) is an emergency patch release to close a critical security vulnerability that affects server components. If you are running a 9.1 deployment, you need to upgrade immediately in order to close the vulnerability. CHANGES: * Fixed security vulnerability in Root Server, Web Reports, and Server API. (Agents and relays are not exposed to this vulnerability and are not being patched) ========================================= = Changes between 9.1.1065 and 9.1.1082 = ========================================= 9.1.1082 (9.1 patch 1) is an emergency patch release to close the OpenSSL Heartbleed vulnerability (CVE-2014-0160). This is a critical vulnerability that affects 9.1 servers and relays. If you are running a 9.1 deployment, you need to upgrade immediately in order to close the vulnerability. Only deployments running 9.1.1065 are exposed to the Heartbleed vulnerability. Earlier versions are not vulnerable. After upgrading from 9.1.1065 to 9.1.1082, the following steps should be performed to revoke any potentially-compromised credentials (these steps do not need to be performed if upgrading from 9.0 or earlier): 1) Rotate the server signing key: http://www-01.ibm.com/support/docview.wss?uid=swg21669587 2) Rotate custom SSL certificates in Web Reports or the Root Server, if you are using them (note: this is not common). 3) Change all Console user passwords (especially master operator passwords) 4) Change any database or network proxy passwords that are in root server or relay settings. 5) Rotate the client keys for all relays, especially DMZ relays, using Fixlet 1759 in the BES Support site (or http://www-01.ibm.com/support/docview.wss?uid=swg21670787 for manual instructions). 9.1.1065 agents are also exposed to the Reverse Heartbleed vulnerability, but can only be exploited by an attacker setting up a new relay that the agent connects to. If you suspect this type of attack has occurred, please contact support for recommendations. CHANGES: Server / Relay * Fixed OpenSSL Heartbleed vulnerability (CVE-2014-0160) - See http://www-01.ibm.com/support/docview.wss?uid=swg21669590 for details. * Fixed an issue with FillDB discarding client reports after upgrade to 9.1 (APAR: IV58144) * Fixed an LDAP authentication issue on DSA replica server REST API * Corrected status code returned for GET api/computer/{computerid} when computerid refers to a deleted computer ==================================== = Changes between 9.0 and 9.1.1065 = ==================================== Features Added * Enhanced Security - ability to disable SHA-1 signatures in favor of SHA-256 - support for TLS 1.2 - root certificate key strength increased from 1024 to 4096 bits - NOTE: Enabling Enhanced Security (accomplished via the Admin Tool) will result in loss of management of any agents or relays with version less than 9.1, including Proxy Agents. * LDAP groups support in Web Reports * Linux server processes are now 64-bit - Root Server, Web Reports, FillDB, and GatherDB * Common Criteria security certification features - Configurable login banners for Console and Web Reports - Inactivity timeouts for Console and Web Reports - Increased server audit logging * Dashboard API enhancements - Suppress warning for the StopAction API - Tag actions when importing - Asynchronous DownloadFile API - Asynchronous UploadFile API * Enhanced screen reader support for the Client UI * REST API enhancements - Ability to add a file that will be gathered by agents to a site - Ability to delete a computer - Users created through the REST API are now logged in the server audit log * New agent inspectors - square root: e.g. "sqrt of 4" - Added comparision operators for type