Вы находитесь на странице: 1из 53

RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD APPLIANCE


RELEASE DATE: DECEMBER 24, 2014
RIOS VERSION: 8.6.2
CONTENTS
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)

Supported Steelhead Models


New Features in RiOS 8.6.2
New Features in RiOS 8.6.1
New Features in RiOS 8.6.0
Fixed Problems
Known Issues
Upgrading the RiOS Software version
CMC compatibility
Hardware and Software dependencies
Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS


RiOS 8.6.2 supports CXx55, CXxx55, x50, xx50, CX570 and CX770 models. Important: RiOS
8.6.2 does not support Riverbed xx20 models.

2) NEW FEATURES IN RIOS 8.6.2


This section provides an overview of the new features available in RiOS v8.6.2.

Full-Transparency with Enhanced Auto-Discovery Enhancement


Improved the enhanced auto-discovery protocol, when used with full-transparency. After
the connection between Steelheads has been established and data packets addressed to the
server side Steelhead are generated, the client side Steelhead will check that the fulltransparency in-path rule is present.

Improved SDR-Adaptive Functionality


Improved SDR-Adaptive functionality to monitor CPU usage in addition to disk load.

3) NEW FEATURES IN RIOS 8.6.1


This section provides an overview of the new features available in RiOS v8.6.1.

New Appliance Models


RiOS v8.6.1 supports the Series CX570 and CX770 appliances.

Baseboard Management Controller (BMC)


The Steelhead CX570 and CX770 models include Baseboard Management Controller (BMC)
support. The BMC monitors the physical state of the appliance and tracks system and
network watchdogs, error logs, and sensors. The sensors of a BMC measure internal physical
variables such as temperature, power settings, and fan speeds trigger alerts for activity
detected outside specified limits. For more information, see the Upgrade and Maintenance
Guide.

Enhanced Product Diagnostics and Usage Reporting


A single encrypted HTTPS connection will be opened from each managed device periodically
delivering anonymized information to secure servers located at
usage.comms.riverbed.com:443. In addition, a periodic DNS request will be directed to
a dynamically-generated host ending in updates.riverbed.com.
To disable reporting of product health and usage information, issue the commands no debug
uptimereport enable and no debug health-report enable.
Riverbed cares about privacy and data security. For more information, see
http://www.riverbed.com/legal/privacy-policy

UI Current Connection Report Enhancement


Added the ability to filter based on connections for a specific Path Selection path name by
entering the name into a "matching regular expression" filter.

CLI command reports GRE paths egress statistics


The show in-path gre-egress-tbl command reports GRE sources along with the number of
packets and bytes received from those senders.

4) NEW FEATURES IN RIOS 8.6.0


This section provides an overview of the new features available in RiOS v8.6.0. For details,
see the Steelhead Appliance Management Console Users Guide, the Steelhead Appliance
Deployment Guide - Protocols, the Steelhead Appliance Deployment Guide, and the Riverbed
Command-Line Interface Reference Manual.

Path Selection Enhancements


Includes support for these features:

Multiple and single firewalled paths using GRE tunneled paths. You can now create direct
tunneled paths to steer traffic over any path that traverses a stateful firewall between the
serverside Steelhead appliance and the client-side Steelhead appliance.
Firewalled deployments using the Application Flow Engine (AFE) to identify and steer traffic
flows.
Symmetric and asymmetric traffic flows.

New SharePoint Optimization Diagnostic Reporting


Provides cache hit rates and and totals for these SharePoint extensions:
Web Distributed Authoring and Versioning (WebDAV) HTTP/1.1 extension. The local
Steelhead appliance proxies transactions, fetching information ahead of time to serve data
locally. For example, for directory browsing, the Steelhead appliances fetch structures of
subdirectories, caching them for faster response to the client.
FrontPage Server Extensions (FPSE), which enables the client application to display the
contents of a Web site as a file system.

SSL Common Name Support for the AFE


Improves SSL application classification efficiency by allowing wildcards in SSL common name
identification.

New Current Connection Details


Provides more information on QoS classes, applications, and outbound QoS marking for
individual connections.

Over 350 Additional Applications in the AFE


Includes significant additions to the number of popular applications recognized by the AFE.
The AFE enhancements further classify the various Microsoft Lync workloads. Lync a multi3

featured communications suite that goes across many protocols. The AFE covers the
majority of the traffic generated between Lync clients and servers.
The AFE greatly eases the process of identifying applications in Steelhead appliances. For a
complete list of recognized applications, see the Steelhead Appliance Management Console
Users Guide.

Authentication Scaling and Load Balancing for Secure Protocol Optimization

Improves the number of applications per second and availability of domain authentication
operations. The improvements meet the requirements of high-load environments for
encrypted MAPI and signed-SMB traffic to load balance across multiple domain controllers.
They also improve handling in environments where the domain controllers are not local to
the server-side Steelhead appliance; for example, the domain controllers in Microsoft Office
365 data centers. For details, see the Riverbed Command-Line Interface Reference Manual.

MAPI and eMAPI Over IPv6 Optimization


Provides latency optimization for MAPI and eMAPI over IPv6. Authentication is over IPv4
only. Communication to the domain controller is over IPv4 only.

HTTP Optimization Improvements

Removes the 1 MB bypass limit for Steelhead appliances running RiOS v8.6. The limit is still
in effect for a Steelhead appliance peered with a Steelhead appliance running RiOS v8.5.x
and earlier. The HTTP cache limit is still 1 MB.

RiOS now allows caching of HTTP Vary headers when encoding is set to None.
Combine with strip compression to improve the cache hits. Added diagnostics for
stream splitting.

Improved RiOS Data Store Encryption Performance


Includes several methods to alleviate lock contention, improving encrypted data store
throughput and latency.

New System Administrator Role


Includes permission for all other RBM roles and permission to perform appliance
administration, minimizing the need to assign an administrator role that grants full readwrite access to all areas of the appliance. For details, see the Riverbed Command-Line
Interface Reference Manual.

SSL Transport Layer Security (TLS) Support


Enhances security on the inner and outer SSL channels between the client-side and serverside Steelhead appliances. Support includes the TLS version 1.1 and 1.2 encryption protocol.
For details, see the Riverbed Command-Line Interface Reference Manual.

5) FIXED PROBLEMS
Problems fixed in version 8.6.2

123997 Fixed an issue where disk alarm is triggered after a raid element fails.

138588 Removed generating linklocal IPv6 address for interfaces with MTU value
lower than 1280. This is to avoid the kernel error message "No buffer space
available", since IPv6 requires MTU on an interface to be at least 1280.

144119 RiOS software switches transparently from hardware to software


compression when an error is detected on the SDR accelerator card. This
enhancement ensures that the optimization service resumes compression with the
SDR accelerator card after a fixed timeout period (6 minutes), thus helping recover
full functionality in the case of transient errors like memory pressure. If the error is
determined to not be transient (10 or more failures in a 2-hour period), the service
switches entirely to software compression.

150658 Fixed an issue where the optimization service could crash if an optimized
Outlook Anywhere connection is closed while is it processing HTTP request or
response headers.

151040 Fixed a race condition during delegation configuration to avoid process


restart

153082 Fixed an issue that caused crash of optimization service at


Smb2::ClientParser::process_TreeDisconnectResponse(). The crash was due to an
attempt to update metadata in an unoptimized node during Tree Disconnect
operation. The crash is likely to occur in
Smb2::ClientParser::process_SessionLogoffResponse() as well due to similar attempts
made during Sessons Logoff operation. The fix adds checks to avoid updating
metadata in unoptimized nodes.

158834 Fixed an issue with Notes Encryption Optimization where the server-side
Steelhead fails to forward traffic to the unencrypted server port. This occurred in the
following conditions:
1) Enhanced Auto-Discover (EAD) disabled
2) Fixed target rules between Steelhead appliances
3) Probe-caching enabled
This can result in the encrypted Notes connections not being optimized. In this case
you will see a log message like the following:
[notesencr2sfe.NOTICE] 1 {x.x.x.x:x y.y.y.y:1352} Server is requesting encryption on
port 1352 and therefore cannot be optimized. This connection will be passed
through. Note from the log that port 1352 was used even though Steelhead was
configured to send traffic to unencrypted port 1353.

159262 Hardware watchdog timed out during lookup of a connection in a corrupted


connection table. The corruption was caused because of lingering closed connections
in the connection table. The fix gracefully removes closed connections from
connection table thus avoiding corruption.

162336 Fixed a rare timing-related issue where the optimization would shut down if
the SSL Secure Peering handshake completes at the same time as an optimized
encrypted Lotus Notes connection is being torn down. After the fix the Lotus Notes
Encryption Optimization blade checks to see if the connection is being terminated
before it processes messages from the SSL Secure Peering blade.

162553 Fixed the communication between the ESX Cloud SteelHeads and the Cloud
Portal. The absence of this secondary communication resulted in the appliance not
showing up against the license on the Cloud Portal.

163276 Fixed the handling of empty kerberos request packets on HTTP connection.

163476 Fixed a leak of file descriptors in the winbindd process that can result in
protocol errors for new Signed SMB or encrypted MAPI connections

164034 Fixed an issue where optimized bandwidth limits were not enforced on
MxTCP connections.

164421 Corrected code logic specific to http HEAD request that was improperly
blocking data.

164812 The optimization service will now close the MAPI connection if an error
condition is encountered during optimization, allowing Outlook to gracefully recover.

165611 Fixed the memory allocation failure that caused InPath interfaces to stay
offline after a software upgrade. The failure resulted from the increase in memory
usage of the system during a software upgrade.

165671 Fixed an issue where the 'image fetch' command would fail if the disk drive
containing the /var directory was replaced.

166355 Fixed a kernel crash that may occur because of incoming out-of-order
fragmented TCP packets when the QoS and/or Path Selection feature is enabled.
6

166967 The service crash following a service restart after a SDR Card failure has been
fixed.

166977 Fixed an issue that caused sysdump collection to get stuck when TACACS+
per-command authorization is configured. This can occur if the "admin" account is
not authorized by the TACACS+ server to execute the "exit" command in the CLI.
During sysdump collection the CLI is launched multiple times internally, and if it
cannot exit from the CLI, the collection cannot complete.

167210 Fixed memory leak in DC discovery locator process.

173665 Increased the memory admission control values so that they are adequate to
support the maximum prescribed load for SteelHead models 770L and 770M.

187833 Fixed a memory leak in RiOS kernel that may occur in the client-side
SteelHead in rare conditions where a client is opening a very large number of shortlived connections and the optimized connection setup between SteelHeads fails.

187862 The Qosd memory leak was fixed and no leaks have been seen with this
release.

191370 Fixed an issue where invalid login requests can result in MAPI blacklist
entries. Outlook can send an invalid login request and this resulted in a MAPI blacklist
entry on the server-side Steelhead. With this change such a blacklist entry is only
made on the 2nd invalid login request on a MAPI connection. This will allow a
recovery and successful login by Outlook on the second attempt.

191761 Fixed an issue that results in failure of directory synchronization using


ViceVersa software when CIFS optimization is enabled. Certain find requests on
folder content were not forwarded to the server, causing the client to eventually
close the connection.

191775 Fixed an issue where the byte count reported by the CLI command, "show inpath gre-egress tbl", included the GRE header of each packet that egress GRE
tunnels.

191792 Fixed the issue where when AppVis is enabled and DSCP-marking is not
enabled, the inner channel for Citrix packets were incorrectly marked with the 0x3F
DSCP value.

192346 Fixed an issue that caused an error to be reported when non correct mode
IPv6 addresses are entered in the delegation lists (delegate-all, delegate-all-except)

193744 GeoDNS for SH SaaS is used to locate the closest SteelHead against the
destination Exchange-online (Office 365) server. This feature was disabled by default
before RiOS 8.6.2. The feature has now been enabled by default. The feature should
not be disabled under normal circumstances.

194051 Fixed an optimization service crash that can occur when an optimized MAPI
connection opens a second MAPI protocol context, but the connection has previously
encountered an optimization error.

195020 Upgrade Apache httpd 2.4 to 2.4.10 and 2.2 to 2.2.28 (or 2.2.27 with
patches) for CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, CVE-2014-0231
Details
------CVE-2014-0117: mod_proxy: DoS attack against a reverse proxy via a crafted HTTP
Connection header.
CVE-2014-0118: mod_deflate: DoS via highly compressed crafted request message
body.
CVE-2014-0231: mod_cgid: DoS against CGI script due to lack to timeout.
CVE-2014-0226: mod_status: Heap overflow denial of service attack.
Note that RiOS is not impacted by CVE-2014-0226 as it does not include the affected
mod_status module.
Fix
--Upgraded Apache on RiOS 8.0 and higher, to fix multiple Denial of Service issues.
Recommendation
Upgrade to patched version if applicable

197894 Fixed an issue to show IP's specified in'protocol domain-auth delegation rule
dlg-only' command show up in the 'show running config' command output.

200048 When SDR adaptive is enabled (either Legacy or Advanced), use sustained
CPU pressure as an alternate trigger to send resource pressure messages to a peer
steelhead.

200449 Fixed a problem that caused an assertion failure when optimizing encrypted
Lotus Notes connections. At the point of crash the following log message was seen on
the server side SteelHead:
[assert.CRIT] - {- -} ASSERTION FAILED (lock_->held_by_me()) at
/builddir/build/BUILD/sport-0.1/rbt/iocore/action.cc:50.
The stack trace pointed to an assertion failure in the event system code:
#2 0x0... in assert_failure(char const*, char const*, char const*, int) ()
#3 0x0... assert_failure(char const*, char const*, int) ()
#4 0x0... in ActionInternal::is_cancelled() const ()
#5 0x0... in NetIOChannel::handle_event(EventSource, EventType, void*, void*) ()
#6 0x0... in EventThread::process_pollfds(int) ()
#7 0x0... in EventThread::run() ()
The crash happened because our optimization service was performing read/write
operations on an aborted TCP connection between the server side SteelHead and the
Lotus Notes server.

200896 CVE-2014-3535: Linux kernel Vxlan NULL pointer deference flaw


Details
------CVE-2014-3535: The Linux kernel before 2.6.36 incorrectly uses macros for
netdev_printk and its related logging implementation, which allows remote attackers
to cause a denial of service (NULL pointer dereference and system crash) by sending
invalid packets to a VxLAN interface.
Fix
--Patched the Linux kernel to fix CVE-2014-3535
Recommendation
Upgrade to patched version if applicable.

204080 Fixed a problem with Discovery Agent and agent-intercept mode


optimization on long network paths with many hops. Auto-discovery could have
failed (leading to passthrough connections) due to auto-discovery packets not
reaching the client side SteelHead. The TTL on auto-discovery packets were being
reused from the previous packet on the flow, causing the TTL to reach zero faster
than the actual number of hops the packet traverses.

204870 Enhanced the error message logged when optimization service cannot be
enabled if none of the in-path interfaces have an IPv4 address configured.

205495 Fixed an issue where messages like the following may show up in the logs,
and CLI and WebUI access becomes slow or unresponsive.
[mgmtd.NOTICE]: Waited [x] secs for [query request], Bindings (1 of
1):{/hw/hal/ipmi/query/allevents,N/A,N/A}
This was usually caused by large numbers of SEL entries where requesting them can
be slow. Existing SEL entries are now cached in RiOS and only new entries need be
retrieved through IPMI.

205665 Upgrade to openssl 1.0.1j/1.0.0o to patch openssl security vulnerabilities (libs


used by sport)
Details
------The OpenSSL security advisory https://www.openssl.org/news/secadv_20141015.txt
identifies several vulnerabilities of which the following impact RiOS:
CVE-2014-3566: Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older servers. This
could be exploited by an active man-in-the-middle to downgrade connections to SSL
3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a
number of weaknesses including POODLE (CVE-2014-3566).
Fix
--OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20141015.
Recommendation
Upgrade to patched version if applicable.

10

205667 Upgrade OpenSSL to 1.0.1j for security advisory "secadv_20141015": CVE2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568195020
Details
------This update addresses the following issues:
CVE-2014-3566 (POODLE attack): The SSL protocol 3.0, as used in OpenSSL through
1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.
CVE-2014-3567 (Session ticket memory leak): A flaw in the session ticket integrity
check mechanism allows an attacker to cause a denial of service attack by sending a
large number of invalid session tickets.
CVE-2014-3568 (Incomplete no-ssl3 build option): When OpenSSL is configured with
"no-ssl3" as a build option, the option was effectively ignored, and SSL 3.0 was still
allowed.
Fix
--OpenSSL has been updated to address CVE-2014-3566, CVE-2014-3567 and CVE2014-3568. This update also includes a fix for CVE-2014-3513, though RiOS is not
impacted by it.
Recommendation
Upgrade to patched version if applicable

205746 Fixed an issue where a memory leak could occur in the mgmtd process when
loading a Steelhead current connection report with more than 500 optimized
connections. This memory leak issue has been resolved in this bug.

205927 CVE-2014-3660: libxml2: denial of service via recursive entity expansion


Details
------Libxml2 before 2.9.2 does not properly prevent entity expansion even when entity
substitution has been disabled, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted XML document containing a large
number of nested entity references, a variant of the "billion laughs" attack.
Fix
--Upgraded libxml2 package to address CVE-2014-3660.
Recommendation
Upgrade to patched version if applicable
11

Problems fixed in version 8.6.1b

154841 Fixed an issue where non-ascii usernames can result in the Domain
Communication alarm being raised for Signed-SMB or Encrypted MAPI connections.

193347 CVE-2014-0191, CVE-2013-2877: Libxml2 security update RHSA-2014:0513-1


DETAILS
------CVE-2014-0191: It was discovered that libxml2 loaded external parameter entities
even when entity substitution was disabled. A remote attacker able to provide a
specially crafted XML file to an application linked against libxml2 could use this flaw
to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service
or an information leak on the system.
CVE-2013-2877: An out-of-bounds read flaw was found in the way libxml2 detected
the end of an XML file. A remote attacker could provide a specially crafted XML file
that, when processed by an application linked against libxml2, could cause the
application to crash.
FIX
--Upgraded libxml2 to fix security vulnerabilities CVE-2014-0191 and CVE-2013-2877.
RECOMMENDATION
Upgrade to patched version if applicable.

196534 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory
"secadv_20140806" (CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 and others)
DETAILS
------The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt
identifies several vulnerabilities of which the following impact RiOS:
CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL
0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty
printing is used, does not ensure the presence of '\0' characters, which allows
context-dependent attackers to obtain sensitive information from process stack
memory by reading output from X509_name_oneline, X509_name_print_ex, and
unspecified other functions.
CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in
t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading
and session resumption are used, allows remote SSL servers to cause a denial of
service (memory overwrite and client application crash) or possibly have unspecified
other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.

12

CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1


before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by
triggering ClientHello message fragmentation in communication between a client and
server that both support later TLS versions, related to a "protocol downgrade" issue.
FIX
--OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20140806.
RECOMMENDATION
Upgrade to patched version if applicable.

196537 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory
"secadv_20140806" - Sport Side
DETAILS
------The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt
identifies several vulnerabilities of which the following impact RiOS:
CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL
0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty
printing is used, does not ensure the presence of '\0' characters, which allows
context-dependent attackers to obtain sensitive information from process stack
memory by reading output from X509_name_oneline, X509_name_print_ex, and
unspecified other functions.
CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in
t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading
and session resumption are used, allows remote SSL servers to cause a denial of
service (memory overwrite and client application crash) or possibly have unspecified
other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1
before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by
triggering ClientHello message fragmentation in communication between a client and
server that both support later TLS versions, related to a "protocol downgrade" issue.
FIX
--OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20140806.
RECOMMENDATION
Upgrade to patched version if applicable.
13

197047 Krb5 1.9 security update for CVE-2014-4341, CVE-2014-4342, and CVE-20144344
DETAILS
------This security update addresses the following issues:
CVE-2014-4341: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to
cause a denial of service (buffer over-read and application crash) by injecting invalid
tokens into a GSSAPI application session.
CVE-2014-4342: MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows
remote attackers to cause a denial of service (buffer over-read or NULL pointer
dereference, and application crash) by injecting invalid tokens into a GSSAPI
application session.
CVE-2014-4344: MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows
remote attackers to cause a denial of service (NULL pointer dereference and
application crash) via an empty continuation token at a certain point during a
SPNEGO negotiation.
FIX
--Krb5 has been patched for CVE-2014-4341, CVE-2014-4342, CVE-2014-4344.
RECOMMENDATION
Upgrade to patched version if applicable.

200367 glibc security update for CVE-2014-5119 and CVE-2014-0475


DETAILS
------CVE-2014-5119: Off-by-one error in the GNU C Library (aka glibc) allows contextdependent attackers to cause a denial of service (crash) or execute arbitrary code via
vectors related to the CHARSET environment variable and gconv transliteration
modules.
CVE-2014-0475: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc
or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand
restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*,
(2) LANG, or other locale environment variable.

14

FIX
--Glibc packages updated to fix CVE-2014-5119 and CVE-2014-0475
RECOMMENDATION
Upgrade to patched version if applicable.

Problems fixed in version 8.6.1a

202898 CVE-2014-6271, CVE-2014-7169: Bash Code Injection Vulnerability via


Specially Crafted Environment Variables
DETAILS
------CVE-2014-6271: A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or bypass
environment restrictions to execute shell commands. Certain services and
applications allow remote unauthenticated attackers to provide environment
variables, allowing them to exploit this issue.
CVE-2014-7169: It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use this flaw to
override or bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to provide
environment variables, allowing them to exploit this issue.
Please refer to this knowledge base article for detailed information on the impact of
this vulnerability on Riverbed products and services:
https://supportkb.riverbed.com/support/index?page=content&id=S24997
FIX
--The Bash component was updated in Riverbed products and services to fix the
"ShellShock" vulnerability (CVE-2014-6271, CVE-2014-7169)
As a part of this update, the following related issues were also fixed:
CVE-2014-6277
CVE-2014-6278
CVE-2014-7186
CVE-2014-7187
Recommendation
Upgrade to the appropriate patched versions of software as listed in the above KB
article.

15

Problems fixed in version 8.6.1

77755 This bug fix helps the optimization service gracefully recover when a
corruption is detected in the index by repairing the data structures that form part of
the index. This recovery occurs transparently without triggering a service crash,
connection drops, or loss of data integrity.

94089 The Common Name field on a Certificate Signing Request should include the
local hostname for full browser compatibility. The Web user interface now shows a
warning when the hostname is not included in the Common Name.

129100 Fixed an optimization device failure that would occur along with messages
similar to "watcher: One or more threads not responding after at least [x]s;
unhealthy threads follow"

146046 With inbound QoS enabled, a SteelHead under moderate load might enter
into a busy wait loop. In some rare cases, this culminated with a reboot triggered by
the hardware watchdog. Inbound QoS has been modified to limit processing too
many packets in a single pass. This modification prevents the watchdog from timing
out and causing a reboot.

147174 Enhanced NetFlow flow records to indicate to CascadeFlow collectors that


the SteelHead interface data exported may have been incorrect in virtual in-path
deployment or when Path Selection was enabled.

147363 Fixed an issue that resulted in a crash of the rcud process during high CPU
and disk load on the SteelHead. During high CPU and disk load spikes, the period of
time available for the rcud process to recover from an unhealthy state was short. This
period has now been increased to allow the rcud process to recover when the
appliance enters high CPU or disk load state.

148619 Fixed a severe SSL CPS performance degradation issue when the FIPS mode
was enabled on the SteelHead. The performance degradation was due to heavy use
of certain FIPS locks used by OpenSSL. The fix avoids read operations on FIPS locks to
improve performance safely.

149216 Fixed an issue where opening a continuous log window could prevent a user's
Web session from timing out. Timeout would occur after the inactivity delay set in
Web Settings or five minutes after the main window or tab was closed, whichever
came first.

151996 For Path Selection, the outputs for the show connection and show flow
commands now mark paths used for the inner connection pool with an asterisk (*)
to help differentiate those paths from the paths that were used for the queried
connection.

154088 This bug fixes a crash in RiOS resulting from compression failure of a specific
data pattern. The failure was caused due to incorrect sizing of the output buffer. This
fix makes sure the output buffer is big enough to handle such scenarios.

16

154381 Fixed an issue where a closing TCP connection that was simultaneously
opened by the SteelHead and any other device in the network would result in a RiOS
kernel crash. The fix gracefully handles this condition by initializing the TCP
connection state to the correct value to prevent service disruption.

155336 Fixed an issue where the disk space for logs became full after collecting
Application Visibility statistics. The system now dynamically scales back Application
Visibility granularity thresholds when low disk space is detected.

155940 HTTP latency optimization was bypassed on large chunk encoded transfers,
by design, with the intent that large transfers would not benefit from latency
optimization. This limit has been removed as it has been found to inhibit beneficial
optimizations on subsequent transactions.

156182 Fixed a potential but unlikely issue where the system shutdown could take
more than 20 minutes.

158787 Fixed an issue where a CX570 or CX770 Steelhead would display errors in the
syslog, such as the following, which do not impact operation and can be ignored: Feb
10 00:00:39 sv-sh99 hald[7665]: [hald.INFO]: hald_handle_query_request(),
hald_main.c:631, build (null): No handler for bnode /hw/hal/raid/disk/0/disk_wear
Feb 14 11:32:05 sv-sh99 hald[7707]: [hald.NOTICE]: RAID MOD: No need to initialize.
Old model detected these warnings have been removed from the CX 570 and CX 770
models, as they do not use RAID.

159136 Fixed a statistics accounting issue where bytes sent or received were
erroneously accounted multiple times towards a single port.

159419 Enabled multiple hardware queues for 10 G interfaces in order to improve


the performance for QoS marking and Path Selection. This fix works only when QoS
shaping is disabled.

159811 Fixed an issue where the domain-health test widgets were not honoring
encrypted LDAP settings on domain controllers resulting in test widget failures.

160271 Fixed an issue where our LDAP library was not being complied with SASL
support needed for encrypted ldap support for the auto-delegation and password
replication policy features.

162474 Fixed an optimization service crash when an optimized Outlook Anywhere


connection was closed immediately after opening.

162513 Fixed an issue where in certain rare cases, the SteelHead could report a
"Needs Attention" status even though the condition that caused it had cleared. The
"Needs Attention" status now clears appropriately.

162543 Fixed an issue where the alarm indicating IPv6 incompatibility between
connection forwarding neighbors did not clear after the neighbors disconnected.

162723 Fixed a memory leak in the statistics gathering subsystem that can result in
paging activity too high alarms after several months.

17

163298 The memory limit of the QoS process qosd was removed so that it no longer
crashes when its memory usage hits 500MB.

163324 Added a new alarm in RiOS that is triggered if Path Selection probe responses
arrive at a WAN interface that is different from the WAN interface on which the
probe requests were sent.

163505 Fixed a problem that resulted in the log message "[cli.ERR]: user monitor: No
response from HAL for uses_hardware_wdt" occurring when a nonadministrative
user logged in. This problem did not cause any functional issues.

163925 Three SMB3 port descriptions were corrected on the Monitored Ports
configuration page of the Web UI. The descriptions were corrected for ports 8781,
8782, and 8783 to SMB3, SMB3 Signed, and SMB3 Encrypted, respectively.

164014 Enhanced error notification to explain that configuring Path Selection


channels on a SteelHead that is not peered with an Interceptor is not supported.

164133 Access to SOAP API's was not available in 8.6.0. With the fix, SOAP API's
should now be accessible.

164188 Fixed the httpd settings to prevent the "No slotmem from
mod_heartmonitor" message that was intermittently seen in the httpd logs.

164191 Enhanced Path Selection probing logic to drop probe requests that ricochet
through the SteelHead. This change helps in detecting paths as being down in cases
where a downstream router may reroute probe requests and such packets ricochet
through the SteelHead.

164382 The CX570, CX770, and SMC platforms do not support the CLI command no
remote password. "Operation is not supported in the given platform" is now printed
on the console if the user enters this command.

164384 Fixed an issue where Path Selection information for a connection was not
visible in the UI "Current Connections" report.

164503 Corrected a problem where the order of the incoming data was corrupted
after the client TCP connection was reset. This problem was leading to an internal
crash; however, no corrupt data was ever sent to the client or server.

164561 The Web user interface now supports key lengths of 3072 and 4096 for
generating CA certificates. This change provides parity with the command-line
interface, which introduced these key lengths in version 8.6.0. The key size is no
longer allowed to be 512.

164805 Fixed an issue in the RiOS kernel that could result in a kernel panic while
adding a VLAN tag to an unoptimized packet during path selection.

18

164837 Fixed an issue that resulted in Windows clients failing to connect to a share
on Windows 2012R1 Server with update KB2934016 installed. The fix corrects the
size of the metadata prefetch request issued by the client-side SteelHead. This size is
calculated based on the server's maximum transaction size. Increasing the maximum
transaction size to 8 MB by Windows update KB2934016 exposed a bug in the
computation of the prefetch request size.

165077 Modified the data store configuration file for the CX770L and CX770M
models to change the data store size from 100 GB to 150 GB. Upgrading to an image
containing the fix will result in a size change. Please note that this resizing operation
will clean the data store.

165212 Fixed an issue related to a collectord crash under high disk load.

165262 Enhanced the logic that maintains the state for optimized connections in the
RiOS kernel to prevent referencing stale data that may have resulted in a kernel
panic.

165343 Fixed a crash of the SteelHead optimization service when the Server
Certificate Chain Discovery feature was enabled on the server-side SteelHead. The
process crashed due to a NULL pointer dereference. The fix involved introducing
NULL pointer checks.

165828 Fixed an issue where VLAN tags were stripped when the packets went
through an ESX-based Virtual SteelHead. This issue affected both optimized and
passthrough traffic.

166647 Decreased the number of syslog messages printed by MAPI optimization so


only one of those messages is logged for each optimized MAPI connection.

191836 Fixed an issue where the SSL peering trust between SteelHeads would not
establish due to certain SCEP servers rejecting the CSRs generated by SteelHeads.
OpenSSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to
use UTF8String, and this has been been reverted to PrintableString.

192177 Fixed an issue where renewing the SSL peering trust between SteelHeads
failed due to certain SCEP servers that rejected the CSRs generated by SteelHeads.
OpenSSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to
use UTF8String, and this has been reverted to PrintableString.

19

192199 Fixed a problem that caused a crash in the optimization service when the
Citrix protocol optimization component parsed the start of a Citrix connection. The
stack contained these function calls: #0 0x... in
IcaContext::basic_decrypt(Citrix::ByteBuffer*, bool) ()
#1 0x... in UiDriver::UiDriver(AbstractDriver::DriverHeader const&, BufReader*,
bool*) ()
#2 0x... in AbstractDriver::create_driver(AbstractDriver::DriverHeader const&,
BufReader*, std::basic_string<char, std::char_traits<char>, std::allocator<char> >*) ()
#3 0x... in DriverInitResponse::DriverInitResponse(unsigned char, unsigned short,
bool, BufReader*, bool*) ()
#4 0x... in Citrix::DriverStack::parse() ()
...
The crash happened while parsing a Citrix client packet at the start of the connection.
These messages were observed in the system logs immediately before the crash:
... [/citrix/cfe/DriverStack INFO] {<client_ip>:<client_port> <server_ip>:1494|2598}
Parsed driver at index QQ

Problems fixed in version 8.6.0a

130193 Fixed an issue where an interface would lose link after upgrading to 8.6.0, if
the interface speed and duplex was configured for 100 full (without using autonegotiation) on both the Steelhead and the connected router or switch. The fix will
only apply a configuration that is supported by the interface.
Workaround: Set both the SteelHead interface and switch to use auto negotiation
before upgrading to 8.6.0. After performed the upgrade, change the setting back to
speed 100 full duplex.

153178 Application Visibility process collectord crash has been fixed. The crash was
due to memory exhaustion during high load.

165027 IIS is sometimes responding with 401 authentication responses while an


HTTP POST request is still sending data. This triggers a connection level bypass, and
potentially a crash on the SFE due to a defect in the bypass functionality introduced
in 8.5.0.

165217 Fixed the Steelhead's Client Authentication support feature to allow


bypassing the connection when the ECDHE-RSA cipher suite was chosen.

165253 The fix prevented the SteelHead from crashing and correctly handled
connections to TCP server port 7840.

165657 Fixed a problem where automatic emails were sent from 32-bit appliances
indicating /usr/lib64/sa/sa1 and /usr/lib64/sa/sa2 were missing. These commands
were used to collect system activity data which was used in system debugging. This
problem did not impact normal system operation.

20

165705 Fixed a memory leak issue that resulted in high memory utilization on the
SteelHead. The issue could have resulted in admission control, optimization service
crash at alloc(), or general slowness. The issue was due to a memory leak while
handling SMB2 read responses when 'end of file' information was invalid. Now only
if MAPI or NSPI were enabled would those connections have received the
corresponding latency optimization.

165809 The optimization service would create an optimized MAPI connection for
every TCP connection to a server TCP port 7830 even if the MAPI feature was
disabled. The optimization service would create an optimized NSPI connection for
every TCP connection to a server TCP port 7840. Now only if MAPI or NSPI were
enabled would those connections have received the corresponding latency
optimization.

166984 The fix was to program the interface to do the correct link negotiation based
on the interface setting.

168159 CVE-2014-0224: OpenSSL weak keying MITM vulnerability


DETAILS
------OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not
properly restrict processing of ChangeCipherSpec messages, which allowed man-inthe-middle attackers to trigger use of a zero-length master key in certain OpenSSL-toOpenSSL communications, and consequently hijacked sessions or obtained sensitive
information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
FIX
--Upgraded OpenSSL as used by the Steelhead optimization service process to 1.0.1h
(or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. Note: This
patch also addressed the following security bugs that DID NOT affect RiOS:
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)

168163 CVE-2014-0224: OpenSSL weak keying MITM vulnerability


DETAILS
------OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h did not
properly restrict processing of ChangeCipherSpec messages, which allowed manin-the-middle attackers to trigger use of a zero-length master key in certain
21

OpenSSL-to-OpenSSL communications, and consequently hijacked sessions or


obtained sensitive information, via a crafted TLS handshake, aka the "CCS
Injection" vulnerability.
FIX
--Upgraded OpenSSL was used by device management to 1.0.1h (or 0.9.8za for
some older releases using 0.9.8) to fix CVE-2014-0224. This patch also addressed
the following security bugs that did not affect RiOS:
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-20105298)
Anonymous ECDH denial of service (CVE-2014-3470)

Problems fixed in version 8.6.0

59875 Fixed issue where VLAN-tagged frames belonging to VLAN ID zero were
dropped. In an in-path setup, all passthrough traffic tagged with VLAN 0 now will go
through. All Steelhead-destined traffic tagged with VLAN 0 will still be explicitly
dropped to keep the same behavior as before.

62550 Browser cookies could be assigned an HTTP-only flag, which prevented them
from being accessed by scripts. Setting the flag prevented cross-site scripting (XSS)
attacks targeting the user's session cookie. See:

https://www.owasp.org/index.php/HttpOnly
http://cwe.mitre.org/data/definitions/79.html

To fix this, the Steelhead now uses the HTTP-only flag.

67594 Fixed scenarios where the Data channel was not sent to the DPI engine
resulting in inconsistent classification behavior. This fix ensured that both Control
and Data channels were chained correctly to the DPI engine.

74013 Fixed a problem where setting up an optimized connection failed due to using
a broken inner pool connection. When the optimization service attempted to send
data over the broken connection, it would get an error and destroy the optimized
connection. This fix monitored pool connections for socket errors and removed them
from the pool upon detecting an error.

74266 When using encrypted MAPI, Outlook Anywhere and Smartcards to provide
client authentication, Outlook may use the SCHANNEL authentication protocol (auth
type 14), which was not supported with RiOS 8.5.0.

76017 This was fixed by replacing escape characters with spaces. With this fix special
characters like \n will not be shown as #012.
22

77601 Inadvertent WARN level messages from [sslinnerchan/CliClosed.WARN] and


[sslinnerchan/SrvClosed.WARN] with the message Shutting down the splice:
unexpected message corresponded to benign activity that occurred when SSL secure
inner channel was used for non-SSL traffic. The messages have been removed.

78637 The CLI support show ether-relay now correctly reports entries of all relay
devices.

90698 Fixed an issue which resulted in crash of server-side optimization service when
Smb2 blade's read-ahead was enabled. The crash was due to an update to readahead window issued by client-side Steelhead when there was no read-ahead handle
on the server-side Steelhead. The fix gracefully handles this situation by stopping just
the application level (layer 7) optimization only on the connection that experiences
this issue.

95504 Removed the 1 megabyte HTTP response bypass limit so that a larger response
no longer triggers optimization bypass as long as both Steelheads are running 8.6.0
or later.

99396 Fixed an issue that viewing Alarm Status page may encounter item
unexpectedly already existing errors when an IPMI alarm was triggered.

108661 Old implementation of EPM blade could not handle NDR64 transfer syntax
and to prevent client and server from using NDR64, it nulled out NDR64 transfer
syntax during EPM bind, but some clients and servers did not like this and closed the
connection resulting in disruption of service. The EPM blade has been rewritten from
scratch to parse and handle different kind of transfer syntaxes, for example NDR32
and NDR64, and now it lets the client and server use NDR64 and correctly handles
NDR64 traffic.

109501 Currently, the RBM user roles are ignored for Steelhead Cloud Accelerator
features. RBM users with DENY permissions in all roles are allowed access to
Steelhead Cloud Accelerator UI pages and Steelhead Cloud Accelerator commands.

113802 Fixed a problem where a lock was not properly being released in the Citrix
optimization blade. This would result in other threads being blocked while trying to
acquire the lock, which would eventually cause the watchdog timer to detect the
threads as unhealthy and temporarily put the optimization service in bypass.

120103 All Outlook Anywhere connections from a client computer needed to be


optimized by the same set of client- and server-side Steelheads. If multiple client-side
Steelheads are deployed in a cluster, the Interceptor is automatically configured to
reliably select the same client-side Steelhead for subsequent Outlook Anywhere
connections from a given client.

120746 Fixed an issue that resulted in out-of-memory condition on the client-side


Steelhead leading to a crash. The issue was due to buffering of write requests during
NFS write-behind optimization. Buffering of write requests has now been made
configurable. The issue was resolved by disabling it by running the below CLI
command on the client-side Steelhead:
23

no protocol nfs buffer-wrt-reqs enable


Note: Client-side and server-side Steelheads must be running on RiOS 7.0 or later
releases, with the client-side Steelhead containing this fix. Codec flow control must
be enabled on both the Steelheads for the fix to be effective. Codec flow control is
enabled by default. If it is disabled, it can be enabled with: sport codec flow-control
enable.

121070 Fixed an issue where link state of primary interface was not properly
reported on a Virtual Steelhead. This could result in failures of activities depending
on the link state, such as applying QoS to primary interface.

122882 Fixed an issue where IPv4 addresses were sometimes incorrectly formatted
in log messages. Some log messages prepended ::ffff: to the IPv4 address, e.g.
::ffff:10.0.0.1. With the fix, IPv4 addresses are displayed in the x.x.x.x dotted quad
notation.

124033 Object Prefetch and Stream Splitting feature code was updated to cache
responses containing "Vary: Accept-Encoding", if no Content-Encoding is present in
the response.

125506 Enhancement to reduce IP TTL value of passthrough packets when such


packets are steered by path selection. This behavior was enabled by default and can
be toggled using the following CLI command: '[no] path-selection settings ttldecrement enable'

126135 Fixed an issue where certain SMART query triggered a bug in a SSD with
certain versions of firmware, resulting in the Steelhead storage controller getting into
a FAULT state and the appliance becoming unresponsive. The fix works around the
problem by monitoring the state of storage adapter and hard-resetting the adapter if
it is stuck in the FAULT state.

127119 Added a mechanism to stop uploads of diagnostic files in progress. The file
upload stop command is now available to stop an in-progress upload.

127332 The file <type> upload <file name> command can now be used without
additional parameters to upload to the Riverbed support site. An additional
parameter may be given to specify a Riverbed support case number or (to get the old
behavior) a URL to upload to instead of the Riverbed support site.

127721 When a URL without a trailing slash is used to upload dumps to a directory
(rather than a file in a directory) on the server, the upload now has an error indicated
in show uploads.

128149 Fixed a Linux kernel jiffies overflow problem on 32-bit Steelhead which might
have led to a kernel crash when Inbound QoS was enabled.

129534 This fix restores the original behavior of the upgrade script.

24

130281 Fixed an issue that resulted in optimization service crash on the client-side
Steelhead at sunrpc::ServerCacheList::add_extent(). Fix involves corrections in
handling of failure of names encode and decode operations.

130630 Corrected incorrect memory usage calculation for HTTP optimization that led
to new responses not being cached, and improved OPT caching policy.

130991 Fixed an issue that prevented RBM users and the monitor user from logging
into the CLI. The permissions on the mfdb file were set incorrectly, preventing these
users from reading the file during login, so login failed.

133206 Removed the restriction that an interface must be up and connected in order
to configure the WAN link rate and enable QoS on it. If the interface is down, an
alarm is raised indicating that the WAN bandwidth is greater than the detected link
rate.

134683 Fixed an issue that affected file access on NetApp ONTAP 8.1.2+ clustermode filer due to timeouts. Fix involves handling of unchained responses to a single
chained request on the server-side Steelhead.

135268 This bug fixes the mdadm crash issue when reassembling raid disks where
one raid element is missing.

135671 Fixed an issue where 'show running-config' command was displaying the
mask length for snmp-server command with / prefix, which is not allowed anymore.

135942 This fixed a bug in the decoder that triggered an optimization service crash
when handling corrupt packets. The fix ensures that sport gracefully handles corrupt
packets by attempting recovery and closing the connection if recovery fails.

136288 Added checks to avoid accessing invalid information that could cause the
optimization service crashes.

136892 Fixed an issue where packets of passthrough flows not subjected to path
selection and were fragmented if they were larger than the in-path interface MTU.
The issue existed only when Path Selection is enabled.

137215 Fixed an issue where some disk failures were not handled properly, the failed
disk was not offlined, and caused the disk continue to be accessed, and resulted in
performance and stability issues, as well as logs like:
kernel: Info fld=0x23, Current
sdh: sense key Medium Error
kernel: Additional sense:
Unrecovered read error

137589 The fix improves the connection information retrieval.

137696 Fixed an issue where with 8.0.x software, a certain load was not evenly
distributed among the available cores on models with an SDR card (7050M,
7055M/H), and might trigger CPU utilization alarms under certain traffic conditions.

138208 Strengthened security around Riverbed customer support diagnostic access.


25

138278 Fixed an issue that resulted in crash of client-side optimization service in


Smb2 blade. The crash occurred when LeaseBreakNotification on a connection did
not acquire proper lock before updating lease state on another connection to which
the lease belonged.

138418 Fixed an issue by removing un-needed access to disk file that checks for the
current log level, thereby avoid blocking on disk I/O when the system is under heavy
load.

138610 Fixed an issue where an encrypted Outlook Administrator account could fail
to connect to Exchange when Steelhead MAPI multi-context support was enabled.
Steelheads now properly optimize these connections.

138773 Fixed an issue where a Citrix user reconnecting to a session using Session
Reliability saw the reconnect hang when MultiPort optimization was in use. The user
might have seen a stalled progress bar and the message Connection in progress and
the client-side Steelhead appliance might have showed a protocol error indicating
misconfiguration of inner SSL. This issue was caused by interference of interSteelhead packets for Citrix MultiPort optimization and inner SSL optimization. The
issue was resolved by delaying the Citrix MultiPort inter-Steelhead packet until the
inner SSL setup is complete.

139239 Fix to ensure that DNS lookups do not happen on every request to discover
the Key Distribution Center. Once discovered, the Steelhead now use the cached
value, thereby reducing the overall number of DNS requests.

139311 Fixed the formatting of the reports from 'show connections' and 'show flows'
CLI commands to make them consistent with each other.

139798 Fixed a database corruption triggered by a configuration switch.

139973 Fixed a problem where the optimization process would not stop despite
encountering an irrecoverable error. When an irrecoverable error was detected, the
optimization process was supposed to stop itself and pass through connections. For
certain errors involving the inpath interfaces, failing to stop the optimization process
would cause traffic to be blackholed. With this fix, the optimization process stops,
raises an alarm, and passes through all connections.

139999 Reporting has been made consistent.

140087 The active-active sync feature did not check for memory pressure when
replicating traffic and only relied on the read/write disk pressure mechanism.
However the disk pressure mechanism is enabled only when sdr-a-a is enabled. In
turn if the disk I/O becomes unresponsive and sdr-a-a is disabled, the active-active
sync feature can overflow the system with read/write disk requests to a point where
the Steelhead runs out of memory.

26

140186 Fixed the interpretation of Citrix Client Drive Mapped file transfer packets
from a Citrix server to a Citrix client that could result in a file corruption. This
occurred when certain kinds of files were transferred from the Citrix server to the
Citrix client during an optimized Citrix session with CDM latency optimization turned
on.

140269 Upgrade to 8.5.0 release disables Skipware Legacy Compression as a default


behavior.

140532 The interrupt vector assignment algorithm has been changed to avoid
assigning interrupts being used by RSP.

140542 Fixed an issue that caused ICMP fragments to be dropped in a WCCP


deployment.

140743 Fixed an issue where the optimization service aborted because of packet
corruption on the TCP connection between Steelheads causing zero length esc
packets. This fixed a crash in the optimization service resulting from packet
corruption on the WAN. In particular, this fix addresses the case where the packet
length was incorrectly set to 0. The fix helps avoid the crash, and ensures that the
affected connection is terminated gracefully.

140790 Fixed an issue where Steelhead Mobile clients optimizing connections to


multiple interfaces on the same server-side Steelhead would fail to optimize
connections on certain interfaces but not others. The Steelhead Mobile client would
create an out-of-band connection for each interface on the server-side Steelhead,
but the server-side Steelhead would fail to find the correct out-of-band connection
for all but the first interface on which it received a connection. When the server-side
Steelhead failed to find the out-of-band connection, it would attempt to initiate an
out-of-band connection with the Steelhead Mobile client. Steelhead Mobile clients
were unable to accept connections, so no connections would be optimized over the
problematic interfaces. The same issue can occur on client-side Steelheads that are
behind a NAT device.

140940 CVE-2013-1944: cURL cookie stealing vulnerability in tailmatch.


DETAILS
------The tailMatch function in cURL and libcurl before 7.30.0 did not properly match the
path domain when sending cookies, which allowed remote attackers to steal cookies
via a matching suffix in the domain of a URL.
FIX
--The curl package has been upgraded.

141017 Fixed an issue where transfer of file stalled when Smb2 optimization was
enabled. The fix was to handle a case correctly when server could respond with
status pending for notify request in a chain of Smb2 requests.

27

141024 Fixed a bug where the Steelhead incorrectly assumed high memory pressure
and throttled the traffic.

141276 Fixed a problem where a counting error on the server-side Steelhead


appliance during optimized Citrix Client Drive Mapping transfers from the client to
the server could cause memory corruption which frequently caused a failure of the
optimization service. This error occurred with file sizes that are 1 to 11 bytes larger
than an even multiple of 4096 bytes.

141368 The client-side optimization service could crash during MAPI pre-population.
This crash was observed if MAPI pre-population was started on a connection, when
the MAPI connection has not been fully set up prior to pre-population.

141432 User inputs were escaped before returning it to the web client.

141467 Fixed a problem where a Steelhead responded to its own auto-discovery


probe in rare cases where the probe packet was sent back to it from a connection
forwarding neighbor.

141793 Fixed an issue where optimization of SaaS connections through Steelhead


Cloud Accelerator (SCA) would not work if the TCP probe option configuration was
set to any value other than its default of 76. In direct-branch SCA mode, the
Steelhead can continue to use the non-default probe TCP option value to peer with
other customer Steelheads and it also peers properly with SCA Steelheads. In
backhauled mode, the fix only works if the Branch Steelhead and Datacenter
Steelhead use the same non-default probe TCP option.

141892 There is an INFO level message generated for each HTTP connection that
indicates what optimizations are configured. Previously this was indicated by a
binary flag value and has been updated to readable text.

141980 CWE 400: A Fix was added to close an unbounded resource consumption
vulnerability.
DETAILS
------It was possible to control the image dimensions for the optimized throughput graph
generated by the application.
FIX
--Limits were placed on the dimensions of the image to prevent exhaustion of
resources.

142434 Provides more details in the log when the error deflate failed: -2 stream error
occurs while using the SDR accelerator card. This information may be helpful to
diagnose failures of the SDR accelerator card.

142473 The fix adds the port number to the OPT cache key. This ensures that data
from different servers on the same host are differentiated.
28

143118 With fix, the Steelhead advertises correct number of IPv6 addresses to
connection forwarding neighbors.

143202 Fixed a rare issue where a Steelhead could experience poor performance and
log an error that included the text maybe_reset_inpath_interfaces after an upgrade.

143378 Cleaned up the old web certificates which prevented any future certificate
generation and importation.

143386 Fixed an issue that caused intermittent issues during file opens. The issue
occurs when an application, especially Microsoft Office, opens a file without
acquiring the necessary Oplock.

143422 Addressed the handling of "show packet-mode" command that leads to CLI
crash in debug mode.

143569 Fixed a rare condition where the optimization service failed when scaling to
more than 100K connections. Improved handling of multiple connections that share
the same data and that led to high CPU followed by a crash because the Steelhead
detected some loop condition.

143790 Fixed problem where PFS/RCU may fail on 32 bit platforms.

143807 Fixed the issue where no warning was given before shutting down for
hardware spec upgrade. A warning has been added now, and a 'confirm' flag is
needed to complete the action.

144064 Fixed a problem with Citrix client mapped drive optimization where duplicate
requests for the same file offset were ignored which could lead to incorrect data
being delivered to the Citrix server. A log message like the following may indicate
that this problem has been experienced: [/citrix/sfe/parser WARN]
{10.11.0.207:49935 10.11.141.63:1494} S Req: 03 00 14 00 00 e0 02 00 00 10 .. tail:
14 2a is a duplicate REQ

144134 Fixed a kernel panic that could occur in a virtual in-path deployment and
when RSP was enabled if RiOS generates fragmented packets. This would more likely
happen when packet-mode optimization was in use and fragmented packets were
transported though other cases involving fragmented packets going out of the inpath interfaces could trigger the issue, too.

144144 Fixed an issue where Encrypted-MAPI or Signed SMB connections could get
blocked when using Kerberos and the KRB5KDC_ERR_POLICY error was seen. Fixed
an issue where KRB5KDC_ERR_POLICY could result in connections getting blocked for
Encrypted-MAPI or Signed-SMB. The fix results in a connection being blacklisted
instead.

144217 The optimization service could crash if the first two Outlook Anywhere
connections were optimized within a very close timespan.

144300 Added support for DPI classification of Microsoft Lync traffic in QoS and Path
Selection rules.

29

144397 Fixed an issue that occurred when CITRIX blade was enabled and QoS
disabled. The issue caused packets belonging to a CITRIX connection, and carrying a
non-null CITRIX ICA priority tag, to be marked with the ECN field in the IP header set
to CE (binary 11 or Congestion Experienced). This could result in the packets being
dropped by an intermediate device in the network.

144470 Fixed an issue where the CLI command 'reset factory keep-mgmt-ip reload'
would cause the box to reload with the messages An internal error occurred and the
system would fail to respond. The Steelhead now successfully reloads with factory
configuration keeping mgmt ip intact. The CLI starts up with the initial wizard.

144472 Updated the Mouse-over help texts for authentication types for SMB,
SMB2/3 and MAPI.

144491 This fix corrects an issue where the CLI show interfaces command did not
display all the interfaces after another interface (e.g. mgmt0_0) was disabled.

144568 When a QoS rule is configured to classify Citrix ICA traffic based on perpacket ICA priority values, misclassification may occur if the ICA rule is moved from
the 1st position in the rule list.

144793 CVE-2013-1950: libtirpc rpcbind remote denial of service.


DETAILS
------The svc_dg_getargs function in libtirpc version 0.2.3 and earlier, allowed remote
attackers to cause a denial of service (rpcbind crash) via a crafted request.
Note: This issue is not applicable to Steelhead versions 7.0 and lower
FIX
--This issue has been fixed by patching libtirpc for CVE-2013-1950.

144796 Fix is to unlearn the invalidated URL so that the Steelhead does not
repeatedly drop connections to the base page.

144856 Fixed an issue that ensured temporary credential caches got destroyed
correctly to prevent Kerberos Tickets from leaking in delegation mode when
performing cross domain delegation.

145027 Fixed a minor issue that would result in Unexpected NULL error messages
reported in the logs and that did not impact any functionality.

145194 This fix disallows to add recursive IPv6 routes and default gateways for inpath interfaces.

145211 Fixed an issue where the LAN interface MAC address instead of the WAN one
could be used as the source MAC address for the outbound packets when the
Steelhead was in virtual in-path mode.

145214 A race condition with Kerberos authentication against Windows Server 2008
R2 with password replication policy enabled was fixed.
30

145368 With the fix, the CMC Appliance Details page can list all the RiOS 8.5.0
systems.

145593 Fixed an issue where the minimum key size of 630bit for Lotus Notes
Encryption optimization was not being enforced. Optimized Lotus Notes connections
where the client or server has a key smaller than 630bit were being dropped.

145605 On the Site Edit pane in Basic QoS setup, changed the DSCP select list for QoP
paths from Inherit from Application to Inherit from Site to provide more clarity.

31

145611 The issue here was that if a server side steelhead received too many SYN
packets for a client server connection through a client side steelehad, the server side
steelhead might run out of memory, which causes the OOM memory manager to kill
sport, the main Steelhead process.
This fix addresses this issue by limiting the number of connection a server side
steelhead will try to optimize when flooded with SYN packets.
This feature is disabled by default. to enable it, use the following command:
in-path conn-hard-limit auto
enables probe splice limits, and configures it automatically based on connection
threshold and admission control limits.
in-path conn-hard-limit disabled
disable probe splice limits
show in-path conn-hard-limit state
see the set value as seen by intercept. This command is preferred over the one
specified below.
show in-path conn-hard-limit config
see the set value in the config db. This is in case the sysctl and config db go out of
sync for any reason.

145834 In Basic QoS mode, do not let the sum of site bandwidths exceed the
configured WAN bandwidth.

145858 In a serial cluster optimizing IPv6 traffic using enhanced auto discovery, if we
run into admission control on the first steelhead, its possible that the second
steelhead, which is supposed to take over the optimization duties, might experience
an optimization service crash.

The issue exists because of the way we were handling WAN visibility mode settings
on middle Steelheads (Its independent of what WAN visibility mode is set in the
inpath rule).

145884 CVE-2013-4854: BIND malformed RDATA remote Denial of Service (DoS).


DETAILS
------The RFC 5011 implementation in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1,
9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and
9.9.4-S1b1, allowed remote attackers to cause a denial of service (assertion failure
and named daemon exit) via a query with a malformed RDATA section that was not
properly handled during construction of a log message.
FIX
--BIND was upgraded to 9.9.3-P2.

146050 Fixed a bug where excessive amounts of memory are allocated when
transferring large files via Citrix Client Drive Mapping. This could result in out of
memory conditions which could lead to crashes of the optimization service.

146220 Improved the performance of deleting multiple QoS classes from the GUI.
32

146237 Optimization process will no longer crash when this scenario occurs during
active MAPI acceleration.

146316 The protocol connection * suite of CLI commands is expanded to accept both
ipv4 and ipv6 addresses. These changes could facilitate the fixed target IPv6 inpath
rules and single ended optimization with IPv6 use cases.

146370 Fixed an issue in RiOS 8.5.0 where when an interface is connected but QoS
shaping is not enabled on that interface, a QoS configuration update causes the
following log message: QoS: writing tc commmands to stdin err Broken pipe.

146624 Resolved a multi-threading issue with the SSL connection bypass table.

146796 CVE-2013-2249: Apache HTTP mod_session_dbd module unsafe save


operations.
DETAILS
------mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server
before 2.4.5 proceeded with save operations for a session without considering the
dirty flag and the requirement for a new session ID, which had unspecified impact
and remote attack vectors.
FIX
--The Apache httpd daemon was upgraded to 2.4.6 and unused modules on the
Steelhead were removed.

146853 Fixed an issue with the RTT calculation logic in RiOS that caused incorrect and
extremely large values to be exported in Netflow records for connections that use
transparent mode for inner connections.

147162 Fixed the counter overflow problem on 32 bit platforms that prevented
simplified routing entries update.

147302 Applied a fix, such that after a hardware upgrade the QoS bandwidth limits
are automatically updated and a reboot is not required for them to take effect.

147466 On the Current Connections page, in a given connection's detail pane, there
is a new Path Selection table, which appears when Path Selection has been used by
the given connection. Named paths have magnifying glass icons that, when clicked,
show further details for that path.

147495 This change extends the range of disks recognized by the vSH on Hyper-V.

33

147685 CWE-79: Cross Site Scripting (XSS) Vulnerability on the EX platform's software
upgrade page.
DETAILS
-----Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate,
filter, or encode user input before returning it to another users web client.
FIX
--Fixed an XSS vulnerability on the EX platform's Software Upgrade page

147765 Fixed insufficient memory error for small 32bit boxes. For models
250,550,555,755, the machine might show an error saying Insufficient memory to
sustain current model. Also, show hardware licensing info showed a DIMM with size
128MB or unbranded. This is fixed by upgrading to a newer version of the BIOS.

147895 Fixed an issue where the message No nic configuration file found will appear
too frequently. This message no longer appears at the INFO level and only appears at
the DEBUG level.

147949 Fixed the issue where the optimization service could crash when Steelhead
entered Admission Control and had optimized MAPI connections. This was specific to
the admission control handling of MAPI connections if special handling of MAPI
connections under Admission Control was enabled.

148017 CVE-2013-4238: Python ssl.match_hostname man in the middle arbitrary


server certificate spoof attack.
DETAILS
------The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 did
not properly handle a '\0' character in a domain name in the Subject Alternative
Name field of an X.509 certificate, which allowed man-in-the-middle attackers to
spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification
Authority.
FIX
--Upgraded Python 2.6 RPM with patch for CVE-2013-4238.

148135 Replaced certain verbose HTTP 500 errors with generic ones.

148200 Forms submitted using a GET method instead of the standard POST -- for
example, through bookmarking of a carefully crafted URL -- could result in race
conditions, denial of service and security check bypass. Web UI forms can now only
be submitted with the POST method.

148238 This fix hides TCP Congestion Algorithm and outer channel IP address for
SHM connections since there is no WAN section and outer channel IP address for the
connections between SteelHead Mobile and Client Side SteelHead.
34

148660 Fix was made to properly classify DPI applications that rely on the port map
in the DPI library.

148816 Fixed a Cipher suite ... is not supported. log message so that the unsupported
cipher suite is correctly printed.

148943 Enabled decrementing time-to-live (TTL) for such packets by default.

148964 CWE-79: Cross Site Scripting (XSS) Vulnerability in management UI log display
page.
DETAILS
------Cross Site Scripting (XSS) Vulnerability was caused due to failure of a site to validate, filter, or
encode user input before returning it to another users web client.

FIX
--Values returned in the UI log display page are escaped.

149174 Fixed parsing logic to correct the statistics reported by CLI command 'show
path-selection paths stats'.

149549 Fixed memory leaks in the management process.

149892 Fixed a regression in RiOS 8.5.0 where the Filter by: Regular Expression filter
criterion for Current Connection was no longer available.

149904 Fixed an issue with the QoS feature that did not work on the AWS Cloud
Steelhead. Previously, when configuring QoS, an error saying that the primary link is
not up or that the link speed is lower than the configured wan link rate would show
up. This did not affect ESX Cloud SteelHead.

149926 Fixed problem where web rest-server enable caused the web server to stop
responding.

150222 Fixed an issue with the handling of small requests and responses for
optimized exchange traffic.

150257 Removed RiOS internal state information from the output of the CLI
command 'show path-selection path * state'.

150258 This fix addresses a page allocation failure with backtraces which may have
been seen when a sysdump was initiated. This issue was due to large memory
allocation attempts while displaying tcp socket details using networking tools like
netstat -al. This happened only when the Steelhead had lots of fragmented memory.
35

150358 The issue arose because internal tables on the Steelhead which store the perflow direction value were not updated correctly. This has been addressed and with
the fix, the value of the biFlow direction for each flow is consistent through the
lifetime of the flow.

150401 Fixed the logic that causes the following error message to be logged when
there is no functional impact while executing the CLI command 'show path-selection
path * state':
[mgmtd.ERR]: Failed parsing paths
config proc entry

150449 Fixed a problem in validation of the SSL proxy certificate against the host
name presented in the SNI. This validation would erroneously fail if the proxy
certificate used wildcard characters. A specific example would be a bypass for
www.google.com if the proxy certificate contained *.google.com
Code was updated to correctly handle such wildcards.

150483 Fixed a problem where emails reporting /bin/sh: /usr/lib/sa/sa1: No such file
or directory may be sent from 32-bit appliances running RiOS 8.5.0.

150592 Fixed an issue where anonymous logons for CIFS-SIGNED connections are
now correctly handled in NTLM-Delegation mode as opposed to getting blacklisted.

150669 Fixed an issue that caused PFS local mode shares created pre-7.0.0
inaccessible when RiOS is upgraded to 8.5.0.

150743 When upgrading to RiOS 8.6.0, we scan the QoS configuration, detect the
corrupted QoS configuration and fix it automatically.

150957 Fixed an issue with the http optimization service which was dropping the
beginning part of request data if bypass condition was hit when parsing the http
headers split in more than one tcp frame.

151006 The fix gracefully handles the Outlook user reconnect and MAPI prepopulation session close.

151073 The fix in RiOS kernel gracefully handles the rare condition to prevent service
disruption.

151146 Due to a complex coding issue there are times when the Citrix DSCP markings
are incorrect. These issues are now resolved.

151160 Implemented DSCP transparency feature to preserve the DSCP value from
end-hosts to all outer and inner connection packets when full-transparency mode is
used. Server and probe caching features must be disabled.

36

151284 A component required for QoS was missing in the Hyper-V interface driver.
This caused the QoS t always be disabled on Virtual Steelhead for Hyper-V. This fix
now adds in that component.

151418 Fixed the SSL optimization module selection logic.

151461 Fixed a problem where log messages stating [ping/client.ERR] 0 {- -} Error


reading from socket Unknown error were printed when handling a premature endof-stream TCP socket error. The TCP socket error is now handled correctly, and the
log message states that an end-of-stream error occurred.

151633 The fix is to do a complete cleanup of specific data structures involved in the
Find operation in Sport when a SMB2 Find Operation is cancelled by the client.

151682 Fixed an issue which caused client side optimization service to crash when
smb2 optimization was enabled and a request inside smb2 compound request was
cancelled by the client. The fix is to appropriately handle the state of request upon
being cancelled and not treat it incorrectly as a pre-acknowledged request.

151873 This fix adds SaaS platform name for pass-through connections which go
through Akamai when SaaS is supported and enabled. IN CLI, User can see the SaaS
platform name in the show connection details report.

151875 The fix ensures that the state in the Steelhead required to intercept the
proxied MAPI connections is not lost unexpectedly.

151920 Fixed a problem that caused a crash while processing HTTP requests using
chunked transfer encoding, if the CRLF following the chunk length and the chunk
length were split in two different tcp packets.

151943 Code has been corrected to properly generate the required ICMP
fragmentation needed when a packet is dropped due to inpath MTU setting.

152046 Fixed an issue where the passthrough reason reported for failed terminated
connections from Granite is misleading.

152250 On the Steelhead with double interception, there are maybe two connections
with same source IP, source port, destination IP and destination port. This fix adds
support to display these connections together in CLI.

152280 This fix temporarily removes SMB2 Find prefetches on encountering a


compound request containing a Create request and an unsupported find request.

152447 This fix treats report settings as non-configuration changes so that they are
not reported as configuration changes and no SNMP trap is generated.

152628 Fixed a bug that caused the console dump process to repeatedly display the
same outdated message localhost kernel: con_dump: restoring oops message,
timestamp=... after a machine reboot

37

152667 Fixed an issue that resulted in performance issues with CIFS clients. Microsoft
Office applications were particularly vulnerable for slowness. The issue occurred
when the server was NetApp ONTAP 8.x C-mode, only for releases prior to 8.2P3.
Process to identify if a slowness issue is due to this bug: if the below wireshark filter
applied on server-side Steelhead LAN trace shows one or more packets, then it's a
match for this bug: (smb.cmd==36) && !(smb.flags2.string == 1) &&
(smb.lock.type.oplock_release == 1) && (tcp.dstport == 445 or tcp.dstport == 139)

152793 CVE-2010-5107: OpenSSHv6.1 fixed time limit connection slot exhaustion


DoS.
DETAILS
------The default configuration of OpenSSH through 6.1 enforced a fixed time limit
between establishing a TCP connection and completing a login, which made it
easier for remote attackers to cause a denial of service (connection-slot
exhaustion) by periodically making many new TCP connections.
FIX
--To reduce the risk of denial of service attacks described in CVE-2010-5107, added
MaxStartups 10:30:100 to sshd_config file, and patched OpenSSH to have that be
the default. This enables random early drop as described in the sshd_config man
page.

152827 Resolved the issue that triggered the admission control in SH due to memory
pressure. Previously, certain requests cached by the MAPI connection tracker were
only cleared when all the connections between a particular client-server pair
terminated. As a result, in certain environments, this was leading to an increased
memory usage, and hence high memory pressure. With the current fix, the per
association group cleanup is done, as soon as all the connections belonging to that
particular association group have terminated, thus relieving memory pressure.

152861 Fixed an issue which caused server side optimization service to crash when
Smb2 optimization was enabled and an interim Notify response came from server
before rest of the chained responses. The interim response was held back at SFE
causing failure in processing rest of the chain responses. The fix is to let the interim
response reach the client and have the rest of chained responses sent to the client
when complete chain is received.

152903 Fixed a memory corruption issue in CIFS blade that caused crash of
optimization service. The crash stack dump lists CodecHandle::~CodecHandle().

152965 Fixed an issue where the Steelhead might crash when Steelhead Cloud
Accelerator was optimizing O365 outlook client connections. The crash might occur
on a heavily-loaded Steelhead due to an invalid pointer access triggered by a new
Outlook optimized connection creation.

38

153086 The optimization service crash was seen because the http module was trying
to cleanup some internal state which was already cleaned when we received end of
connection from the server. Now if the http module receives any message from the
server after the end of connection we drop the connection

153113 Fixed an issue where continuous logging hung up the UI when too many
requests were active at the same time.

153148 Resolved a service crash that could occur in rare cases after an HTTP request
parse failure on the server side Steelhead. This was due to an unexpected HTTP
request that was supposed to result in a connection drop, but due to a bug in the
error message formatting, it resulted in a crash.

153272 Fixed an issue where O365 webmail connections through Steelhead Cloud
Accelerator might fail when Steelhead and Interceptor were deployed on the clientside. This issue occurred when Steelhead tried to apply cloud acceleration to
connections that were RiOS passthrough, which was its default behavior.

153328 Correctly handle Kerberos Authentication Protocol requests without an


authenticator subkey to prevent a potential sport crash while performing kerberos
decryption.

153424 New feature: A new sys_admin RBM role allows users full administration
access, including changing users and RBM permissions without being logged in as
Admin. The feature provides better control and auditing of users with privileged
access levels.

153482 The issue occurred in the MAPI component when the client side Steelhead
was waiting for the encryption key from the server side and a request came on the
same connection without any authentication context. The fix ensures the correct
handling of this scenario.

153504 RBM users may use tcpdump if they are given that role with read-write
permission.

153653 Fixed an issue where un-canceled timeout events in the optimization


service's event-system could result in crash

153762 CVE-2013-4348: skb_flow_dissect remote Denial of Service via IHL with IPIP
encapsulation.
DETAILS
------The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel
through 3.12 allowed remote attackers to cause a denial of service (infinite loop)
via a small value in the IHL field of a packet with IPIP encapsulation.
FIX
--The kernel has been patched to mitigate CVE-2013-4348
39

153763 Fixed an issue when handling multiple outstanding authentication requests


on a single MAPI connection. The outstanding requests are now serialized to ensure
correct behavior.

154090 Fixed memory leak issue introduced due to libxml2 library upgrade in RiOS
8.5.0.

154094 Fixed an issue with the dns interface cli command where the warning Unable
to find header for reverse mapping block would appear in the system log.

154199 Fixed an issue where SMB3 port 8781 would not be listed among list of
Monitored Ports.

154203 CVE-2013-4545: cURL man in the middle certificate spoofing


DETAILS
------cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disabled the
certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when
the digital signature verification (CURLOPT_SSL_VERIFYPEER) was disabled, which
allowed man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate.
FIX
--Applied patch to cURL for CVE-2013-4545. The fix preserves acknowledging
VERIFYHOST when VERIFYPEER is disabled

154252 Fixed an issue where the Gratuitous 401 responses to HEAD requests from
the client-side Steelhead included the message body resulting in parse failures and
thereby dropped connections.

154295 Fixed the shutdown code that would prevent the optimization service crash
when MAPI pre-population was being closed.

154358 Fixed an issue where the following message might appear in the log on
systems with a certain type of eUSB device: Let scsi_cmnd (1) abort. usb 2-5: reset
high speed USB device using ehci_hcd and address 2

154410 The Web UI now sets the X-Frame-Options header, which provides an
additional layer of protection against cross-site scripting vulnerabilities.

154630 Fixed an issue where an empty inner connection pool would fail to
repopulate pool connections to the peer Steelhead if the last connection in the pool
was removed due to an error. With this fix, the connection pool will repopulate the
next time an optimized connection is created for the peer Steelhead associated with
that connection pool.

40

154671 The version incompatibility alarm between connection forwarding neighbors,


when multi-inpath support was enabled, has been fixed to be shown as Cluster
Neighbor Incompatible.

154696 Fixed an issue where deleting a QoS rule could corrupt another rule, causing
it to pick up the paths specified in the rule below it.

154763 Fixed a bug that was caused by certain bulk qos configuration changes which
only happened when the changes were pushed from CMC or due to a config DB
switch.

154811 Fixed a bug found in HFSC upper limit service curve which caused a lot of
packets being throttled incorrectly and CPU utilization to be high.

155001 Fixed an issue where server side Steelhead running RiOS 8.5.0 or higher
dropped CIFS pre-pop connections initiated by the client side Steelhead running RiOS
6.5.6 or lower.

155260 Fixed an issue that prevented secure peering when optimizing snap mirror
and SRDF traffic.

155336 Fixed an issue where the /var partition became full after collecting
Application Visibility stats. The system dynamically scales back granularity thresholds
when low partition space is detected.

155648 CVE-2013-6449: OpenSSL ssl_get_algorithm2 version number remote DoS


using TLS 1.2 client
DETAILS:
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtained a
certain version number from an incorrect data structure, which allowed remote
attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS
1.2 client.
FIX:
This issue has been fixed by patching the OpenSSL library to fix CVE-2013-644

155751 A problem was introduced in 8.5.0 where the first request of an Oracle Forms
connection was incorrectly interpreted and being blocked. Clients would issue a
request and it would appear as if the server weren't responding. Corrections to the
parsing code have resolved this problem.

41

155783 CVE-2013-4353, CVE-2013-6449, CVE-2013-6450: Openssl cumulative


security update
DETAILS:
Openssl cumulative security update for CVE-2013-4353: TLS record tampering,
CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context
interference
FIX:
Upgraded OpenSSL to 1.0.1f to fix CVE-2013-4353, CVE-2013-6449, CVE-20136450.

155830 Fixed NT_STATUS_REVISION_MISMATCH during replication to some


Windows 2003 R2 and Windows 2012 R2 servers caused by unsupported Bind
response lengths.

155913 Fixed a problem where the local interface IP address was not correctly
printed when the Out-of-Band (OOB) connection was disconnected. Log messages for
Resetting state for oob splice would sometimes print the IP address of a different
local interface than the interface on which the OOB connection was established. The
log message now prints the IP address of the local interface associated with the OOB
being disconnected.

155950 CVE-2013-4353, CVE-2013-6449, CVE-2013-6450: Openssl cumulative


security update.
DETAILS
------Openssl cumulative security update for CVE-2013-4353: TLS record tampering,
CVE-2013-6449: TLS incorrect version checking and CVE-2013-6450 DTLS context
interference.
FIX
--OpenSSL was upgraded to mitigate CVE-2013-4353, CVE-2013-6449, CVE-20136450.

156010 Fixed an issue where unsigned CIFS connections got blocked due to a
regression. Unsigned CIFS connections continue to get latency optimized as in pre8.5.2.

42

156286 CIFS prepop sync operations that exceed max sync time or max sync size
were cancelled, and the sync operation was marked as failed. This caused the sync
operation to retry after 5 minutes, which was not desirable. The fix to this bug treats
these errors as non-critical and avoids retries.

156358 The optimization service (sport) could crash due to excessive buffering of
packets, resulting from slow response to growing memory pressure on a steelhead.
This fixes the issue by detecting memory pressure in advance and throttling traffic.

156432 Fixed an issue that resulted in optimization service crash on the client-side
Steelhead at NamesDecoder::handle_event(). Fix involves clearing action pointer
when encode or decode operation completes, irrespective of whether it succeeds or
not.

156487 Path Selection Path Down alarm emails didn't show which path was down.
Path down alarm emails now list out the name of paths that are down.

156897 Fixed an issue where SNMP did not listen on Mgmt In-Path interfaces.

157120 Fixed an issue that caused server side optimization service crash at
Smb2::ChainSplitterQueue::update_lease_create_response(). For a certain sequence
of request commands in an SMB2 packet sent to the server, the SMB2 optimization
module on the server-side Steelhead failed to do error checking on the response. The
fix involves addition of response error checks.

157317 Mismatch between milliseconds and seconds in time conversion was causing
period between SCEP certificate renewal checks to be 1000x longer than expected.
Certificate was checked ~17 hours after initial startup, then every 1000 days after
that. Corrected time conversion so checks occur 1 minute after startup, then every
24 hours after that.

157319 Fixed an issue where connections from Steelhead EX RiOS to Granite core
were not optimized and the following error messages occurred in the Steelhead
syslog: [intercept.ERR] - {- -} ioctl
0xc0c87a06 (z - 6) failed: Invalid argument.

157351 Fixed an issue which caused crash of client-side optimization service when
Smb2 blade was enabled. Crash occurred when the client reused a lease on a
connection while the lease preexisted from another closed connection. A notice level
log that attempted to access the parser from the closed connection led to this crash.
The fix is to get rid of that reference to closed connection in the notice level log.

43

157539 The OVA package has been updated to add support for older hosts (older
than ESXi 5.0).

157540 Fixed an issue that resulted in client-side optimization service crash


originating from Smb2::ClientParser::request_cancel_hook(). The fix involves making
sure that the file handle exists when an SMB2 Find operation is cancelled, before
attempting cleanup of specific data-structures.

157553 Fixed an issue in RiOS kernel that caused a kernel panic when a SYN packet of
a transparent mode inner connection that originated at a Steelhead which was also a
connection forwarding neighbor was processed.

157716 Before the fix, RIOS would cease latency optimization if an early response
was detected. A synchronization problem between peering Steelheads was
introduced in 8.5.0 where a few bytes of internal routing data were appended. The
extra data would have been interpreted by the server as a Bad Request. The issue
has been resolved.

157931 New feature: the SSH server's allowed message authentication code (MAC)
algorithms may be configured using the ssh server allowed-macs CLI command. The
show ssh server allowed-macs CLI command shows the current setting.
The default setting is to allow hmac-sha1, which has been available in OpenSSH since
version 2.1.1 (June 2000), hmac-sha2-256, and hmac-sha2-512. Other MACs that
may be enabled are hmac-md5, umac-64@openssh.com, hmac-ripemd160, hmacsha1-96, and hmac-md5-96.

158139 Fixed an issue that caused the pathSelectionPathDown SNMP trap reported
instead of pathSelectionPathDownClear when path down alarm cleared.

158279 The Steelhead optimization service could print a warning syslog message like
enable_callid_renumber() called more than once, this should not happen!. While the
MAPI optimization would continue without issues, we have fixed the underlying
condition that triggered this message.

158343 Fixed an issue that caused mgmtd in FIPS mode to crash while processing a
user's password change. This issue only occurred if the user's expired password was
blank, and when prompted to enter this old password the user entered a non-empty
value.

158423 Fixed a race condition that existed when the path selection feature was
enabled and the Steelhead received ICMP packets that would cause failure of
the path-monitoring daemon.
44

158480 Fixed an issue where some error conditions (e.g., Cannot assign requested
address) on the server-side Steelhead might have caused the connection states to get
out of sync among the Connection Forwarding peers (with or without Interceptors,
but more likely to happen with Interceptors.) When this happened, the SYN-ACK
packet from the server might have been leaked to the client rather than being
intercepted by the server-side Steelhead, causing the client-side Steelhead
Asymmetric Routing alarms to be triggered.

158622 Before Outlook opened a MAPI connection to the Exchange server it used the
EPM protocol to query for the TCP port of the Exchange MAPI service. The Steelhead
optimization service was not using the Exchange MAPI service's IPv4 address of the
EPM protocol correctly. With the bug fix applied the optimization service is correctly
using the IPv4 address.

158818 CVE-2013-1775: sudo authentication bypass via system clock and user
timestamp reset.
DETAILS
------sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allowed local users
or physically proximate attackers to bypass intended time restrictions and retain
privileges without re-authenticating by setting the system clock and
sudo user timestamp to the epoch
FIX
--Upgraded sudo RPM as described in https://rhn.redhat.com/errata/RHSA-20131701.html to fix CVE-2013-1775.

159010 Fixed a race condition in RiOS kernel that may have caused a kernel panic
when disabling the path selection feature.

159437 The truncation is fixed and the correct number of connection is displayed.

159533 FTP blade was unable to handle EPSV mode responses that used a nonstandard delimiter. Most FTP servers used the '|' character to delimit the port
number, and RIOS failed if any other character was used. Relaxed parsing code to
allow for legal delimiters per RFC 2428.

159644 Fixed an issue that would cause fragmented packets other than TCP, UDP, or
ICMP to be blocked when RSP was enabled. This was due to some mishandling in the
defragmentation logic for such packets.
45

159832 CVE-2012-6638: Linux Kernel tcp_rcv_state_process SYN+FIN remote DoS


DETAILS
------The tcp_rcv_state_process function Linux kernel allowed remote attackers to
cause a denial of service (kernel resource consumption) via a flood of SYN+FIN
TCP packets
FIX
--SYN+FIN TCP packets were generally illegal and served no legitimate purpose. The
RiOS kernel has been patched to drop such packets.

160011 CVE-2014-1912: Denial of Service vulnerability in Python sockets due to


boundary check errors in sock_recvfrom_into
DETAILS
------A vulnerability was reported in Python's socket module, due to a boundary error
within the sock_recvfrom_into() function, which could be exploited to cause a
buffer overflow. This could be used to crash a Python application that used the
socket.recvfrom_info() function or, possibly, execute arbitrary code with the
permissions of the user running vulnerable Python code. This vulnerable function,
socket.recvfrom_into(), was introduced in Python 2.5.
FIX
--Applied security patch to Python for CVE-2014-1912.

160464 Configuration options 'protocol mapi outlook-anywhr schannel enable' and


'protocol mapi outlook-anywhr multi-context enable' were interacting in a way that
forced multi-context to be enabled anytime that schannel was enabled. This issue has
now been resolved and multi-context support can be disabled if needed.

160543 Fixed a kernel panic issue that would happen when disabling Path Selection
while traffic was running and got Path Selected. This was because the system
resources for some inpaths could have been released while other inpaths were still
active. When a packet from an active inpath got steered to one that had been
disabled, the panic could occur.

46

160623 CVE-2014-0092: GnuTLS Certificate Validation Security Bypass Vulnerability


DETAILS
------GnuTLS failed to properly handle certain errors in x.509 certificate verification
which could result in a specially-crafted certificate being accepted as valid even
when issued by any non trusted Certificate Authority. This could be used to
perform man-in-the-middle attacks against applications using GnuTLS.
FIX
--No action needed as GNU TLS is not used in the currently supported RiOS
software and was removed starting with RiOS 8.6 and hence not vulnerable to
CVE-2014-0092.

160813 Fixed this bug by ensuring the Global DSCP setting does not overwrite the
DSCP value set by the matched header base rule.

161148 When using web ssl cert generate key-size, unusable key sizes which would
have caused HTTPS access to the web server to fail are disallowed.

161153 When using web ssl cipher, invalid cipher strings are disallowed.

161176 Netflow templates carried field IDs for RiOS specific fields in the range carved
out for Riverbed, 51000 and higher. This behavior was enabled by default when a
Netflow v9 or CascadeFlow collector was configured. The behavior can be toggled
using the CLI command, '[no] ip flow-export destination <collector_ip>
<collector_port> rvbd-field-ids enable'.

161478 Fixed an issue where the sched process would sometimes crash when
deleting a job scheduled to execute in the future. This would only occur if sched, or
the entire appliance, was restarted after creating the job.

161682 Fixed an issue where a failed addon card could cause other addon cards to be
not properly identified and used.

47

161816 Fixed an issue that prevented Windows 8.1 or Windows 2012R2 clients from
establishing SMB3 connections when connecting through Steelheads.
RiOS releases affected by the issue:
7.0.x
8.0.0 to 8.0.6
8.5.0 to 8.5.2b
With this fix, connections from Windows 8.1 to Windows 2012+ servers are latencybypassed, while SDR optimization on these connections is not affected. Latency
optimization of connections from Windows 8.0 to Windows 2012+ servers and SMB
2.x connections is not affected.

161842 Modified certain error messages from the image fetch command to prevent
information disclosure in logs.

161849 Made the following CLI command available that allows for the in-path
interface MTU and LAN and WAN interface MTUs to be decoupled: 'interface mtuoverride enable.' This capability is required if RiOS is unable to receive and process
packets larger than the in-path interface MTU, including passthrough packets.

161984 Fixed this bug by ensuring invalid site index is not accepted as input.

161987 CVE-2014-0098: Apache httpd mod_log_config crafted log cookie denial of


service.
DETAILS
--The log_cookie function in mod_log_config module in the Apache HTTP Server
allowed remote attackers to cause a denial of service via a crafted cookie that
was not properly handled during truncation.
FIX
--Upgraded Apache httpd web server to fix security bug CVE-2014-0098.

162094 On the Current Connections UI report, applications are sorted by their


displayed name. Higher-level components of the application name, if any, are
available in a tooltip or in the connection details. Only the last component is used for
sorting.

48

162506 After an upgrade or reboot, netflow records are not sent to the configured
collectors and Application Visibility reports are not created, even though enabled.
Also, top talker reports may not display any data even though the feature is enabled.
This issue can be identified by checking the netflow/interfaces file in the sysdump,
which will indicate in this case that flow tracking is not switched on for any of the
interfaces.
If user has configured collectors on the Steelhead, flow export can be disabled and
enabled. For application Visibility to work, the same can disabled and enabled. For
top talkers to work, the same can be disabled and enabled.

162741 The Steelhead no longer logs this warning for valid empty response PDUs. If
this empty response is received during cached mode acceleration and skip-copy is
not enabled, the following INFO message is logged instead: Accelerator was
optimizing when empty response was received. You may want to enable 'protocol
mapi skip-copy enable' on client-side and server-side Steelhead.

163509 Fixed a problem where the citrix optimization blade was causing high CPU
usage. The high CPU usage was due to logic in the Citrix blade where it was
processing a long chain of data causing it to take a long time to complete. Due to this
high CPU usage, the watchdog timer would mark the thread as unhealthy and cause
SIGABRT signal to be sent to the optimization service resulting in its termination.

163622 CVE-2014-2653: OpenSSH remote servers skipping SSHFP DNS RR checking.


DETAILS
------The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and
earlier allowed remote servers to trigger the skipping of SSHFP DNS RR checking
by presenting an unacceptable HostCertificate.
FIX
--Applied patch for CVE-2014-2653 to OpenSSH

49

163743 CVE-2014-0160: OpenSSL heartbeat extension sensitive information


disclosure. (a.k.a. Heartbleed bug).
DETAILS
------The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g did not
properly handle Heartbeat Extension packets, which allowed remote attackers to
obtain sensitive information from process memory via crafted packets that
triggered a buffer over-read. See http://heartbleed.com/ for more details.
FIX
--Upgraded OpenSSL to 1.0.1g to fix CVE-2014-0160 (Heartbleed Bug).

163928 Path Selection may not be applied to WAN bound traffic if the next hop or
default gateway for a Steelhead's in-path interface is on LAN side. Default gateway
or next hop must be on the WAN side of the Steelhead. The next hop may be set by
adding a static route in the in-path interface's routing table.

6) KNOWN ISSUES

150102 Memory leaks may occur if non-SSL traffic flows over SSL ports. The memory
leaks have been fixed.

158916 When using SCEP for peering certificates, automatic renewal fails with error
Transaction not permitted or supported by the SCEP responder (eg, wrong
passphrase, rejected by CA operator, etc).

161036 When connecting to the Cloud Portal through a proxy server, the ESH version
of curl adds a Content-Length header to the CONNECT request. Some proxy services
will fail the CONNECT request with a 400 status. ESH requests to the Cloud Portal will
fail. Configure the proxy server to allow requests with 'Content-Length' header.

162338 SNMP traps are triggered only when email notification is enabled. Keep
email notification enabled to continue triggering SNMP traps.

162479 On the Current Connections report, some connections have multi-level


application types such as HTTP > WebDAV > SharePoint. Only the last component is
used for table display and sorting. It is not possible to sort by the first component of
the chain. Filtering on the higher-level application component, then sorting, can be
used to find children of an application.

162670 The Steelhead QoS functionality cannot classify Microsoft Lync 2013 traffic.

164125 On the User Permissions screen of the UI, the Citrix Acceleration role is
misspelled and appears at the bottom of the list under the Uncategorized heading.
Use the Citrx Acceleration role to assign permissions for Citrix.
50

164780 For customers who use Path Selection, Quality of Service, Netflow DPI, or
Application Visibility, SMB2 connections may be reported as CIFS on the Current
Connections report.

173590 Downgrading the Steelhead to RiOS 8.6.x from a pre-8.6 release that is dated
later than the 8.6.x release will cause a loss of license and optimization will fail to
start. This scenario can be encountered when 8.6.x is in the Steelhead's image
history, the Steelhead is running a pre-8.6 release that has a build date that is later
than the 8.6.x release being installed, and that 8.6.x release is installed/downgraded
to.
Example:
8.5.2 build date Dec. 20 2013
8.5.3 build date May 19, 2014
8.6.0 build date April 15, 2014
The following path would hit this bug:
8.5.2 > 8.6.0 > 8.5.2 > 8.5.3 > 8.6.0 (8.5.3 > 8.6.0 is a downgrade due to 8.6.0 being in
the image history, and 8.5.3 build date is later than 8.6.0).
Avoid this scenario by ensuring that an upgrade, instead of a downgrade, to 8.6.x
takes place. One must downgrade to a pre-8.6.x release that is in the image history
and dated prior to the target release, and then the upgrade to 8.6.x.
From the previous example, the following path is successful:
8.5.2 > 8.6.0 > 8.5.2 > 8.5.3 > 8.5.2 > 8.6.0
In the loss-of-license condition, re-install the licenses, revert to the pre-8.6.x
partition, or re-install a pre-8.6.x image that is in the image history, to recover the
licenses and optimization.

193992 When Path Selection is enabled and the SteelHead is peered with an
Interceptor, traffic is relayed if there are no Path Selection channels configured. The
current connections reports may show Path Selection is occurring for the relayed
traffic. No workaround.

216828 For optimized flows in which traffic from the server is marked with DSCP 0,
the zero value is not copied onto the optimized channel if QoS marking is disabled.
Instead, the DSCP mark from the client is reflected in the server-to-client direction.
Setting an explicit marking on the server or enabling QoS marking on the server-side
SteelHead will prevent this issue.

221376 When an IPMI alarm is raised, the web user interface may show the
description twice; e.g., "Power Unit #0xf2:AC lost Power Unit #0xf2:AC lost". No
workarounds exist.

51

200364 Link failure has been observed on certain NICs with Intel Chipset i350
(Riverbed part number 410-00115-01) when autoneg is turned off or hard set to full
or half when speed is set to 100 mbps or 10 mbps. Setting speed and autoneg to
auto/auto on one side with other side hard set will bring linkup successfully. Another
workaround is to hard set speed and leave the auto-neg to Auto instead of hard
setting to full or half.

7) UPGRADING THE RIOS SOFTWARE VERSION


Please review the Steelhead Appliance Installation and Configuration Guide for information
on upgrading the RiOS software version on Steelhead appliances. For Virtual Steelheads,
please see the Virtual Steelhead Appliance Installation Guide. If running Cloud Steelheads,
please see the Riverbed Cloud Services User's Guide.

8) CMC COMPATIBILITY
Please review the Steelhead Appliance Installation and Configuration Guide for information
on CMC compatibility.

9) HARDWARE AND SOFTWARE DEPENDENCIES


Please review the Steelhead Appliance Installation and Configuration Guide for information
on hardware and software dependencies. For Virtual Steelheads, please see the Virtual
Steelhead Appliance Installation Guide. If running Cloud Steelheads, please see the Riverbed
Cloud Services User's Guide.

52

10) CONTACTING RIVERBED SUPPORT


Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.

Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415 247 7381.

Online
You can also submit a support case online

Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.

2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

53