Security Patches

The Settings > Maintenance > Security Patches page in the Aviatrix Controller lists all available security patches and indicates whether or not they have been installed. It is expected that customers who upgrade to the latest release install any patches that are not currently installed, or only partially installed. The table at the end of this document lists the available patches.

Applying a Security Patch

To apply a patch:

Backup your Aviatrix Controller. For more information, see Controller Backup and Restore.
Apply the security or software patch on the controller. From the Aviatrix Controller, navigate to Settings > Maintenance > SecurityPatches or SoftwarePatches and click on UpdateAvailablePatches. You should see the new patch in the display.
Apply the patch by clicking on the icon on the right and selecting Apply Patch from the popup menu.
Validate the update by clicking on the icon on the right and selecting Patch Status and scrolling down to bottom of page.
Backup your Aviatrix Controller again to save the new configuration.

Controllers Security Patch (01 Nov 21)

Subject: AVI-2021-0005 Apache Request Smuggling Vulnerability Security Patch.

Issues: This patch addresses vulnerabilities fixed by Apache version 2.4.51.

Aviatrix released new AMIs for AWS on 13 Oct 2021 to address vulnerabilities (CVE-2021-40438 and CVE-2021-33193). You are fully covered if you migrated your Controller to use the new AMIs mentioned in the AWS AMI image release notes, and you followed the instructions for migrating images.

This patch will address the same issue without requiring a Controller migration.

For Controllers running in AWS, Aviatrix recommends that you migrate your Controllers as instructed in migrating images.

For Controllers running in cloud service providers other than AWS (Azure, GCP, etc.), you can apply this security patch.

To apply the security patch:

Secure a maintenance window and execute the following during the maintenance window.
Go to your Controller (any version) management console.
Go to Settings > Maintenance > Backup & Restore. Make sure you have a backup of your current settings.
Go to Settings > Maintenance > Security Patches and click on "Update available patches".
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.
Back up your Controller again.

(CloudN standalone mode) To apply the security patch if you have CloudN running in a standalone mode, Aviatrix suggests you run the following in a maintenance window:

Go to CloudN > Maintenance > Security Patches and click on "Update available patches".
Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch.
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.

(CloudN in CaaG mode) To apply the security patch if you have CloudN running in a CaaG mode, Aviatrix suggests you run the following during a maintenance window:

Detach CaaG from the Transit Gateway.
Deregister the CaaG Gateway.
Reload the CloudN UI page.
Go to CloudN > Maintenance > Security Patches and click on "Update available patches".
Please make sure that CloudN has outbound access to 0.0.0.0/0 for ports 80 and 443 before applying the patch.
From the list of patches, apply the "AVI-2021-0005 Apache Request Smuggling Vulnerability" patch.
Register CaaG back to the Controller.
Attach CaaG back to the Transit Gateway.

When to Apply Patches

Patch Name	Version	Description
Increase File Descriptor Limit	5.4 or earlier	This patch will fix the VPN connection issue. Before this patch, OpenVPN® did not have permission to open more than 1024 connections per socket and it hung if more than 1024 sockets were open. This patch is only applicable to Gateways, and not required after UserConnect-4.3.
Enable support for FIPS 140-2	6.0 or earlier	Enable support for FIPS 140-2 Module. Click here for more details. This patch is only applicable to Aviatrix Gateways.
Remove old UI	6.0 or earlier	This patch will remove the unnecessary web server components from old UI pages which could be accessible without requiring a credentials. Patch applied to Aviatrix Controller only.
X-XSS-Protection and X-Content-Type-Options-Headers	5.2+	X-XSS-Protection and X-Content-Type-Options Headers did not configure properly without the patch. Applicable to both Aviatrix Gateway and Controller.
SAML XML signature wrapping vulnerability	6.0 or earlier	The SAML implementation in the Aviatrix Controller was vulnerable to XML Signature Wrapping without the patch. Without the patch, an attacker with any signed SAML assertion from the Identity Provider can establish a connection even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix. Applicable to Aviatrix Controller only.
AVI-2021-0004 Insecure SSH service configuration parameters	All versions	This security patch hardens the SSH service configuration. It is not applicable for CloudN devices. This patch does not impact the data path or the control path. Applicable to Aviatrix Controller only.

Patch Name

Version

Description

Increase File Descriptor Limit

5.4 or earlier

This patch will fix the VPN connection issue. Before this patch, OpenVPN® did not have permission to open more than 1024 connections per socket and it hung if more than 1024 sockets were open. This patch is only applicable to Gateways, and not required after UserConnect-4.3.

Enable support for FIPS 140-2

6.0 or earlier

Enable support for FIPS 140-2 Module. Click here for more details.

This patch is only applicable to Aviatrix Gateways.

Remove old UI

6.0 or earlier

This patch will remove the unnecessary web server components from old UI pages which could be accessible without requiring a credentials.

Patch applied to Aviatrix Controller only.

X-XSS-Protection and X-Content-Type-Options-Headers

5.2+

X-XSS-Protection and X-Content-Type-Options Headers did not configure properly without the patch.

Applicable to both Aviatrix Gateway and Controller.

SAML XML signature wrapping vulnerability

6.0 or earlier

The SAML implementation in the Aviatrix Controller was vulnerable to XML Signature Wrapping without the patch. Without the patch, an attacker with any signed SAML assertion from the Identity Provider can establish a connection even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix.

Applicable to Aviatrix Controller only.

AVI-2021-0004 Insecure SSH service configuration parameters

All versions

This security patch hardens the SSH service configuration. It is not applicable for CloudN devices.

This patch does not impact the data path or the control path.

Applicable to Aviatrix Controller only.