Security Patches
The Settings > Maintenance > Security Patches page in the Aviatrix Controller lists all available security patches and indicates whether or not they have been installed. It is expected that customers who upgrade to the latest release install any patches that are not currently installed, or only partially installed. The table below lists the available patches.
Applying a Security Patch
To apply a patch:
-
Backup your Aviatrix Controller. For more information, see Controller Backup and Restore.
-
Apply the security or software patch on the controller. From the Aviatrix Controller, navigate to Settings > Maintenance > SecurityPatches or SoftwarePatches and click on UpdateAvailablePatches. You should see the new patch in the display.
-
Apply the patch by clicking on the icon on the right and selecting Apply Patch from the popup menu.
-
Validate the update by clicking on the icon on the right and selecting Patch Status and scrolling down to bottom of page.
-
Backup your Aviatrix Controller again to save the new configuration.
When to Apply Patches
Patch Name | Version | Description | ||
---|---|---|---|---|
OpenSSH CVE-2024-6378 “RegreSSHion” |
You should apply this patch if:
|
This patch updates the OpenSSH packages to patch CVE-2024-6378, known as "RegreSSHion".
An image upgrade or migration to 7.1.4105 will already include the patch. If you upgrade directly from 7.1.3956 or 7.1.4101 to 7.1.4105, you do not need to apply the patch. This patch does not apply to releases prior to 7.1.3958. If this patch is applied on a version prior to 7.1.3958, it will need to be re-applied after upgrading. This patch is always safe to install. If you are unsure whether the patch is needed, it is all right to apply it. Applicable to both Aviatrix Gateway and Controller. |
||
AVI-2021-0004 Insecure SSH service configuration parameters |
All versions |
This security patch hardens the SSH service configuration. It is not applicable for CloudN devices. This patch does not impact the data path or the control path. Applicable to Aviatrix Controller only. |
||
X-XSS-Protection and X-Content-Type-Options-Headers |
5.2+ |
X-XSS-Protection and X-Content-Type-Options Headers did not configure properly without the patch. Applicable to both Aviatrix Gateway and Controller. |
||
This patch addresses vulnerabilities fixed by Apache version 2.4.51. See the information below. |
||||
Enable support for FIPS 140-2 |
6.0 or earlier |
Enable support for FIPS 140-2 Module. Click here for more details. This patch is only applicable to Aviatrix Gateways. |
||
Remove old UI |
6.0 or earlier |
This patch will remove the unnecessary web server components from old UI pages which could be accessible without requiring a credentials. Patch applied to Aviatrix Controller only. |
||
SAML XML signature wrapping vulnerability |
6.0 or earlier |
The SAML implementation in the Aviatrix Controller was vulnerable to XML Signature Wrapping without the patch. Without the patch, an attacker with any signed SAML assertion from the Identity Provider can establish a connection even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix. Applicable to Aviatrix Controller only. |
||
Increase File Descriptor Limit |
5.4 or earlier |
This patch will fix the VPN connection issue. Before this patch, OpenVPN® did not have permission to open more than 1024 connections per socket and it hung if more than 1024 sockets were open. This patch is only applicable to Gateways, and not required after UserConnect-4.3. |
Controllers Security Patch (01 Nov 21)
Subject: AVI-2021-0005 Apache Request Smuggling Vulnerability Security Patch.
Issues: This patch addresses vulnerabilities fixed by Apache version 2.4.51.
Aviatrix released new AMIs for AWS on 13 Oct 2021 to address vulnerabilities (CVE-2021-40438 and CVE-2021-33193). You are fully covered if you migrated your Controller to use the new AMIs mentioned in the AWS AMI image release notes, and you followed the instructions for migrating images.
This patch will address the same issue without requiring a Controller migration.
For Controllers running in AWS, Aviatrix recommends that you migrate your Controllers as instructed in migrating images.
For Controllers running in cloud service providers other than AWS (Azure, GCP, etc.), you can apply this security patch.
To apply the security patch:
-
Secure a maintenance window and execute the following during the maintenance window.
-
Go to your Controller (any version) management console.
-
Go to Settings > Maintenance > Backup & Restore. Make sure you have a backup of your current settings.
-
Go to Settings > Maintenance > Security Patches and click on "Update available patches".
-
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.
-
Back up your Controller again.
(CloudN standalone mode) To apply the security patch if you have CloudN running in a standalone mode, Aviatrix suggests you run the following in a maintenance window:
-
Go to CloudN > Maintenance > Security Patches and click on "Update available patches".
-
Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch.
-
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.
(CloudN in CaaG mode) To apply the security patch if you have CloudN running in a CaaG mode, Aviatrix suggests you run the following during a maintenance window:
-
Detach CaaG from the Transit Gateway.
-
Deregister the CaaG Gateway.
-
Reload the CloudN UI page.
-
Go to CloudN > Maintenance > Security Patches and click on "Update available patches".
-
Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch.
-
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.
-
Register CaaG back to the Controller.
-
Attach CaaG back to the Transit Gateway.
Controller version 7.1.3956 is the last version that supports CloudN. CloudN is being replaced by Aviatrix Edge. For more information, contact your account team. |