Patch SOL-40151

This patch updates firmware to address potential security vulnerabilities in some Intel Server Boards that may allow escalation of privilege or denial of service.

This patch applies to all versions of SolOS for the following appliance types shipped prior to October 19, 2020, only. Other appliance types are not exposed to these vulnerabilities.

CHS-3530AC-02-A
CHS-3560AC-03-A
CHS-3560AC-06-A

This patch resolves the following Common Vulnerabilities and Exposures (CVEs):

CVE-2020-8708, CVE-2020-8730, CVE-2020-8731, CVE-2020-8707, CVE-2020-8719, CVE-2020-8721, CVE-2020-8710, CVE-2020-8711, CVE-2020-8712, CVE-2020-8718, CVE-2020-8722, CVE-2020-8732, CVE-2020-8709, CVE-2020-8723, CVE-2020-8713, CVE-2020-8706, CVE-2020-8729, CVE-2020-8715, CVE-2020-8716, CVE-2020-8714, CVE-2020-8717, CVE-2020-8720.

Instructions for Standalone Appliances

Applying this patch is service impacting and requires a reboot of the appliance.

Do NOT continue the patching process if you run into any unexpected issues—contact Solace for assistance.

The patch script can be run with the -c flag. If this flag is specified, the script verifies whether the patch can be applied or has already been applied to the appliance.

Installation Procedure

Make a copy of the current SolOS configuration in the /configs directory and then back up the file to an SFTP or SCP server:

solace> enable
solace# copy current-config /configs/sol_40151_prePatchCfg
solace# copy /configs/sol_40151_prePatchCfg <destination>

Ensure direct shell access is enabled:

solace> show authentication

. . .

Shell Users                                        Direct shell login enabled
================================================== ==========================
support                                                                   Yes

To enable direct shell access, run the following commands:

solace> enable
solace# configure
solace# authentication allow-direct-shell-login

Copy the patch package to the Solace appliance:

$ scp patch-sol-40151.tgz support@<appliance-mgmt-ip>:

Log in to the appliance with the support account over an SSH connection:
Do not run this procedure by dropping to the support shell from the CLI. If you do this, your shell session will become unresponsive while applying this patch.
```
$ ssh support@<appliance-mgmt-ip>
```

Unpack the patch package:

$ cd /usr/sw/support
$ tar zxf patch-sol-40151.tgz

Change to the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```
Check whether the appliance needs this patch (the root password is required):
```
$ sudo ./patch-sol-40151 -c
```
- If the output is Patch is not installed, proceed to Step 8.
- If the output is Patch is installed or This patch does not apply to this platform. Supported platform: CHS-3530AC-02-A, CHS-3560AC-03-A, and CHS-3560AC-06-A, patching is not required. Stop this procedure.
Disable the solace service and then reboot the appliance (the root password is required):
This step causes a service outage.
```
$ sudo chkconfig solace off
$ sudo /sbin/reboot
```
Wait until the appliance has finished rebooting, then log in over an SSH connection. Rebooting has completed when you can connect over SSH as the support user.
```
$ ssh support@<appliance-mgmt-ip>
```
The Solace service is disabled and SolOS won't start.
Confirm that the solace service has stopped.
```
$ sudo service solace status
solace service is stopped
[run] processes are enabled
solacedaemon is stopped
```
Do NOT proceed with the installation until the solace service has stopped.
Change to the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```

Run the patch script with sudo to install the patch (the root password is required). The installation may take up to 15 minutes.

$ sudo ./patch-sol-40151 -i
Firmware update in progress. This may take up to 15 minutes to exit. Please wait...
Firmware update succeeded!
Patch was applied successfully

Enable the solace service and then reboot the appliance (the root password is required):
```
$ sudo chkconfig solace on
$ sudo /sbin/reboot
```
Wait until the appliance has finished rebooting, then verify the BIOS version by entering the show hardware details command in the CLI. The expected BIOS version is: SE5C610.86B.01.01.1029.C1.090220201031
```
solace> show hardware details
```
If you had to enable direct shell access in Step 2 to run this procedure, turn it off now.
```
solace> enable
solace# configure
solace# no authentication allow-direct-shell-login
```

You have completed this procedure.

Instructions for Redundant (HA) Appliances

This procedure requires HA failovers that briefly interrupt client connections as they disconnect and then reconnect to the newly active appliance. We recommend running this procedure during a maintenance window.
Apply this patch to the appliances in an HA pair (redundant appliances) one appliance at a time. Only patch the second appliance in the HA pair after the first appliance has rebooted and is providing service. This procedure applies the patch to the backup appliance first, then the primary appliance.
Do NOT continue the patching process if you run into any unexpected issues—contact Solace for assistance.

If you run the patch script with the -c flag, the script verifies whether the patch can be applied or has already been applied to the appliance.

Installation Procedure

On the primary appliance, ensure that the redundancy state is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (the output may vary by appliance version):

If the HA pair is using Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

On the backup appliance, ensure that the redundancy state is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

With the exception of the Auto Revert value, if the redundancy state of either the primary or backup appliance does not correspond to the examples above, do NOT patch the appliances. Instead, contact Solace for further instructions.

If Config-Sync is enabled, confirm that it is operationally up on both the primary and backup appliances; this means all configuration is synchronized.
For example:
```
solace-primary> show config-sync

Admin Status                      : Enabled
Oper Status                       : Up
```
```
solace-backup> show config-sync

Admin Status                      : Enabled
Oper Status                       : Up
```
If the operational status of config-sync is not Up, you should resolve this before proceeding.

Make a copy of the current SolOS configuration in the /configs directory on both appliances, then back up the files to an SFTP or SCP server.

solace-primary> enable
solace-primary# copy current-config /configs/sol_40151_prePatchCfg_primary
solace-primary# copy /configs/sol_40151_prePatchCfg_primary <destination>

solace-backup> enable
solace-backup# copy current-config /configs/sol_40151_prePatchCfg_backup
solace-backup# copy /configs/sol_40151_prePatchCfg_backup <destination>

On the backup appliance, ensure direct shell access is enabled:

solace-backup> show authentication

. . .

Shell Users                                        Direct shell login enabled
================================================== ==========================
support                                                                   Yes

To enable direct shell access, run the following commands:

solace-backup> enable
solace-backup# configure
solace-backup# authentication allow-direct-shell-login

Copy the patch package to the backup appliance:

$ scp patch-sol-40151.tgz support@<appliance-mgmt-ip>:

Log in to the backup appliance with the support account over an SSH connection
```
$ ssh support@<appliance-mgmt-ip>
```
Do not run this procedure by dropping to the support shell from the CLI. If you do this, your shell session will become unresponsive while applying this patch.

Unpack the patch package:

$ cd /usr/sw/support
$ tar zxf patch-sol-40151.tgz

Change to the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```
Verify whether the appliance needs this patch (the root password is required):
```
$ sudo ./patch-sol-40151 -c
```
- If the output is Patch is not installed, proceed to Step 11.
- If the output is Patch is installed or This patch does not apply to this platform. Supported platform: CHS-3530AC-02-A, CHS-3560AC-03-A, and CHS-3560AC-06-A, patching is not required for the backup appliance. Proceed to Step 22.

On the backup appliance, release activity to the primary appliance before installing the patch:

solace-backup# configure
solace-backup(configure)# redundancy
solace-backup(configure/redundancy)# release-activity
solace-backup(configure/redundancy)# end

On the primary appliance, ensure that the redundancy state is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the Activity Status for both virtual routers should be Local Active. For example (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the Activity Status for the primary virtual router should be Local Active. For example (output may vary by appliance version):

If the redundancy status on the primary appliance is not correct, do NOT proceed with the patch. Instead, contact Solace for further instructions.

On the backup appliance, disable the solace service and then reboot the appliance (the root password is required):
```
$ sudo chkconfig solace off
$ sudo /sbin/reboot
```
Wait until the backup appliance has finished rebooting, then log in using an SSH connection. Rebooting has completed when you can connect over SSH as the support user.
```
$ ssh support@<appliance-mgmt-ip>
```
The Solace service is disabled and SolOS won't start.
Confirm that the solace service has stopped:
```
$ sudo service solace status
solace service is stopped
[run] processes are enabled
solacedaemon is stopped
```
Do NOT proceed with the installation until the solace service has stopped.
Enter the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```

On the backup appliance, run the patch script with sudo to install the patch. The installation may take up to 15 minutes (the root password is required):

$ sudo ./patch-sol-40151 -i
[sudo] password for root:
Firmware update in progress. This may take up to 15 minutes to exit. Please wait...
Firmware update succeeded!
Patch was applied successfully

Enable the solace service and then reboot the appliance (the root password is required):
```
$ sudo chkconfig solace on
$ sudo /sbin/reboot
```
Wait until the appliance has finished rebooting and then verify the BIOS version by entering the show hardware details command in the CLI. The expected BIOS Version is: SE5C610.86B.01.01.1029.C1.090220201031
```
solace> show hardware details
```

On the backup appliance, allow messaging activity to resume:

solace-backup# configure
solace-backup(configure)# redundancy
solace-backup(configure/redundancy)# no release-activity
solace-backup(configure/redundancy)# end

On the backup appliance, ensure that the redundancy state is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

It may take several minutes for the backup redundancy status to transition to Up as the backup router synchronizes its states from the primary appliance.

If the redundancy status on the backup appliance is not correct, do NOT proceed with the patch. Instead, contact Solace Support for further instructions.

On the backup appliance, if you had to enable direct shell access in Step 5 to run the procedure, turn it off now:
```
solace-backup> enable
solace-backup# configure
solace-backup# no authentication allow-direct-shell-login
```

On the primary appliance, ensure direct shell access is enabled:

solace-primary> show authentication

. . .

Shell Users                                        Direct shell login enabled
================================================== ==========================
support                                                                   Yes

To enable direct shell access, run the following commands:

solace-primary> enable
solace-primary# configure
solace-primary# authentication allow-direct-shell-login

Copy the patch package to the primary appliance:

$ scp patch-sol-40151.tgz support@<appliance-mgmt-ip>:

Log in to the primary appliance with the support account over an SSH connection:
```
$ ssh support@<appliance-mgmt-ip>
```
Do not run this procedure by dropping to the support shell from the CLI. If you do this, your shell session will become unresponsive while applying this patch.

Unpack the patch package:

$ cd /usr/sw/support
$ tar zxf patch-sol-40151.tgz

Enter the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```
Check whether the appliance needs this patch (the root password is required):
```
$ sudo ./patch-sol-40151 -c
```
- If the output is Patch is not installed, proceed to Step 29.
- If the output is Patch is installed or This patch does not apply to this platform. Supported platform: CHS-3530AC-02-A, CHS-3560AC-03-A, and CHS-3560AC-06-A, patching is not required for the primary appliance. Proceed to Step 43.

On the primary appliance, release messaging activity to the backup appliance before installing the patch:

solace-primary# configure
solace-primary(configure)# redundancy
solace-primary(configure/redundancy)# release-activity
solace-primary(configure/redundancy)# end

On the backup appliance, confirm that the redundancy status is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the output from the show redundancy command on the backup appliance looks like the following (output may vary by appliance version):

If the redundancy status on the backup appliance is not correct, do NOT proceed with the patch. Instead, contact Solace Support for further instructions.

On the primary appliance, disable the solace service and then reboot the appliance (the root password is required):
```
$ sudo chkconfig solace off
$ sudo /sbin/reboot
```
Wait until the appliance has finished rebooting, then log in using an SSH connection. Rebooting has completed when you can connect over SSH as the support user.
```
$ ssh support@<appliance-mgmt-ip>
```
The Solace service is disabled and SolOS won't start.
Confirm that the solace service has stopped:
```
$ sudo service solace status
solace service is stopped
[run] processes are enabled
solacedaemon is stopped
```
Do NOT proceed with the installation until the solace service has stopped.
Change to the patch-sol-40151 directory:
```
$ cd /usr/sw/support/patch-sol-40151
```

Run the patch script with sudo to install the patch (the root password is required). The installation may take up to 15 minutes.

$ sudo ./patch-sol-40151 -i
[sudo] password for root:
Firmware update in progress. This may take up to 15 minutes to exit. Please wait...
Firmware update succeeded!
Patch was applied successfully

Enable the solace service and then reboot the appliance (the root password is required):
```
$ sudo chkconfig solace on
$ sudo /sbin/reboot
```
Wait until the appliance has finished rebooting and then verify the BIOS version by entering the show hardware details command in the CLI. The expected BIOS version is: SE5C610.86B.01.01.1029.C1.090220201031
```
solace> show hardware details
```

Now that the patch has been installed on both the primary appliance and the backup appliance, allow activity on the primary appliance:

solace-primary# configure
solace-primary(configure)# redundancy
solace-primary(configure/redundancy)# no release-activity
solace-primary(configure/redundancy)# end

On the primary appliance, confirm the redundancy status by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

It may take several minutes for the primary redundancy status to transition to Up as the backup router synchronises its states from the primary appliance.

If auto-revert is not configured, revert activity to the primary appliance from the backup appliance:
```
solace-backup# admin
solace-backup(admin)# redundancy revert-activity
solace-backup(admin)# end
```

Ensure that the primary appliance is in the correct redundancy state by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

The Auto Revert value is a configurable option and may be set to Yes depending on the redundant system configuration.

On the backup appliance, ensure that the redundancy state is correct by running the show redundancy command:

If the HA pair is using the Active/Active redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

If the HA pair is using the Active/Standby redundancy mode, the output from the show redundancy command looks like the following (output may vary by appliance version):

The Auto Revert value is a configurable option and may be set to Yes depending on the redundant system configuration.

If you had to enable direct shell access in Step 23 to run the procedure, turn it off now.

solace-primary> enable
solace-primary# configure
solace-primary# no authentication allow-direct-shell-login

You have completed this procedure.

Provide feedback