Readme File for Cisco Secure Access Control System (ACS) Release: ACS 5.5.0.46 Patch: 5-5-0-46-6.tar.gpg ======================================================================================= This patch fixes: Patch 1: * Bug Id: - CSCuj91631 Launch Session for Local GUI broke if Secondary hostname not resolved - CSCuj53935 Certificate Authority edit page is susceptible to XSS - CSCuj80866 Support bundle download is not working for nodes other than log collector - CSCul09022 ACS does not respond when TACACS request is sent in segmented packets - CSCth35755 Group mapping fails in ACS when group name contain "/ " in AD - CSCul29675 New Authorization rule does not hold customize position - CSCul32497 ACS:"Clear filter" option doesn't show more than 200 authorization rules - CSCul64484 ACSView NBAPI needs better debug logs - CSCuh63873 ACS View should implement syslog over TLS/TCP - CSCum03625 ACS 5.4 - Cross - Site Scripting Vulnerability - CSCum13044 ACS 5.5. subject not found on AD after password change - CSCuj94585 AD authentication fails when same user resides in different OUs - CSCuj01135 AD client exception while talking to LDAP server - CSCum26584 After upgrade 5.5, some GUI functions don't work with multiple CLI admin Patch 2: * Bug Id: - CSCum68228 ACS 5.5 internal user password change failure during CSV template import - CSCum86948 ACS5: Change password length min range to 4 - CSCum86626 After upgrade acs 5.5 secondary server cannot register to primary server - CSCum51180 ACS 5.4: Tune alarm about config db size to display only when over 1G - CSCty13296 Chpass csv import doesn't verify the user's password validity - CSCum67932 ACS 5.5 not starting after upgrade due to unknown encryption algorithm Patch 3: * Bug Id: - CSCun37608 Secondary ignores new Primary if the old one comes online - CSCun85949 ACS5.5: Failed starting the services if attribute 150,151,152 configured - CSCun71995 NDG:Location not showing up on GUI - CSCun67769 Creating or editing "Favorites" failing when attribute length more - CSCun81726 ACS 5.5 not able to retrieve userAccountControl attribute from AD - CSCun92213 ACS 5.x opens to many TCP connections to remote DB - CSCun98622 Exporting MAC Address from End Station Filter causes auto logout - CSCtx99385 ACS Incorrectly Reports Incremental Backup Not Configured alert - CSCun84823 Unauthenticated users can see input validation code Patch 4: * Bug Id: - CSCuo54517 Override Global Log Configuration Fails - CSCuo88797 ACS 5.x should display message if unsupported browser is used for GUI - CSCuj41395 Cust DB: KRON cli is getting added in "sh run" cli for service restart - CSCuo93378 Certain browsers cause ACS database corruption - CSCuo82841 ACS 5.5 mandates a secret key for tacacs aaa clients” - CSCuo60270 ACS fails to join AD domain with a large number of domain controllers - CSCum60476 ACS 5.4 not fetching the internal groups - CSCun05712 ACS RSA agent exhausted under heavy load - CSCuo68704 Improve CheckStatus Monitoring Functionality in ACS - CSCuo78625 ACS 5.5 TACACS Shared Secret - Special Character Problem - CSCuo88163 Getting Users object using PI on ACS 5.5 not working - CSCuo63302 ACS 5.3 Change password of a cloned user via REST Services fails - CSCuo19733 ACS 5.5 View report custom start-end queries last 500 pages of day only Patch 5: * Bug Id: - CSCuo89864 ACS 5.5: Issue with Cross Frame Scripting and session tokens in the URL - CSCuo89889 ACS 5.5: Set-Cookie does not use HTTPOnly Keyword - CSCuo89946 Non-approved hash algorithm used to store sensitive data - CSCuo93378 Certain browsers cause ACS database corruption - CSCup00818 Permission error for 'show app stat acs' from CLI user role account - CSCup10509 ACS 5.5 - SuperAdmin Issue - CSCup32287 ACS 5.5 Disabling Syslog TCP Port 6514 not supported - CSCup34695 ACS 5.5 Remote export Fails due to mismatched Data Types - CSCup77077 ACS 5.5 not getting userAccountControl AD attribute after LRPC conn fail - CSCuq00890 ACS 5.x: Unexpected behaviour with replication due to HALT command - CSCtx65471 Log collector reload on deployment setup stopping syslog - CSCup75144 Authorization policy fail to load with IE Patch 6 * Bug Id: - CSCur00511 ACS evaluation for CVE-2014-6271 and CVE-2014-7169 Patch 5-5-0-46-6.tar.gpg consists of: * files acsadmin.war avreports.war PI.war libInternalIDStore.so libtacacs.so acs-replication-5.5.0.46.B.723.jar acsview.war businessdelegate-5.0.jar platformutil-5.0.jar dbpurge-5.0.jar dataupgrade-5.0.jar dbms-5.0.jar remotedatabase-5.0.jar ACSViewWebServices.war acs-bl-framework-5.5.0.46.B.723.jar libSecureSyslogServer.so rt_daemon acs acs acsCheckFw.sh centrifydc.conf adcheck adclient addns adfinddomain adfixid adflush adgpupdate adinfo adjoin adkeytab adleave adpasswd adquery adreload adcache adrmlocal adsetgroups adsmb adupdate cdcwatch ldapadd ldapcompare ldapdelete ldapmodify ldapmodrdn ldapsearch libcom_err.so libcom_err.so.3.0 libgssapi_krb5.so.2.2 libgssrpc.so.4.0 libk5crypto.so.3.0 libkdb5.so.4.0 libkrb5.so.3.2 libcapi.so.0.0.0 libeda.so.0 liblber-2.2.so.7.0.19 libldap_r-2.2.so.7.0.19 libldap-2.2.so.7.0.19 liblrpc.so.0.0.0 libgcc_s-3.4.6-20060404.so.1 libstdc++.so.6.0.3 libsn2princ.so.0.0.0 libuuid.so.1.2 libgnugetopt.so.1 libActiveDirectoryIDStore.so librtControl.so logforward CLI.war libLogging.so FilterConfig.txt collection-5.0.jar AttributeTypes.xml HP_ATTRIBUTETYPE.txt dbpurge-5.0.jar acs-transfer-utils-5.5.0.46.B.723.jar acs-distributedmanagement-5.5.0.46.B.723.jar acs-internalcli-5.5.0.46.B.723.jar change_encryption.sh acs-db-5.5.0.46.B.723.jar acsview_reports_upgrade_5_5.sql libRSAIDStore.so libEventHandler2.so libaceclnt.so monit_script.sh libCryptoLib.so clients.war acs-common-5.5.0.46.B.723.jar acs-aac-5.5.0.46.B.723.jar libcrypto.so.0.9.8 libssl.so.0.9.8 Rest.war liferay.war catalina.jar commons-lang3-3.1.jar antisamy-1.4.5.jar batik-css-1.7.jar nekohtml-1.9.12.jar xercesImpl-2.8.1.jar *adeos-patch CARSCmdSched-2.0cars-1.i386.rpm CARSJava-2.0-1.i386.rpm CARSOpenSSH-2.0cars-1.i386.rpm CARSUserStore-2.0cars-1.i386.rpm GPCESetup-2.0gpce-1.i386.rpm bash-3.2-33.el5_11.4.i386.rpm Prerequisites ============= This patch should be installed only on top of ACS 5.5.0.46 FCS release or ACS 5.5.0.46 with patch 1 to patch 5. Other prerequisites are same as for ACS 5.5.0.46 (FCS Version). If you installed FCS version of ACS 5.5.0.46 (with out any patch), the "show version" output, would display the following for ACS Version. Version : 5.5.0.46 Internal Build ID : B.723 What the Patch Fixes ==================== The patch fixes the following defects - CSCuj91631 Launch Session for Local GUI broke if Secondary hostname not resolved Fix is done to handle the below two use cases: 1) When the hostname is resolvable , the secondary server GUI is launched with Fully Qualified Domain Name ( FQDN) of the host in the url. 2) When the hostname is not resolvable, the secondary server GUI is launched with IPAddress in the url. - CSCuj53935 Certificate Authority edit page is susceptible to XSS This fix introduces a contemporary security mechanisms to address the XSS. If any request is coming through XSS vulnerability (like ) in ACS, the scanner will scan and clean the vulnerability and the filter will redirect the response to logout page. - CSCuj80866 Support bundle download is not working for nodes other than log collector Support bundle collection mechanism is changed in a way that it will occur through RMI. This RMI will be secured if Trust communication settings are enabled. A new option is introduced in ACS View GUI to select the repository to which the support bundle needs to be copied. The support bundle will no longer be downloaded through the browser for security purposes. - CSCul09022 ACS does not respond when TACACS request is sent in segmented packets Changed the TACACS read mechanism in such a way that segmented packets are processed properly and reply back to client. - CSCth35755 Group mapping fails in ACS when group name contain "/ " in AD The AD group name fetching is varies between ACS Management and Runtime. Management uses distinguished whereas runtime uses canonical name. There is a format difference between those two types of names. As a fix now both management and runtime are using canonical format of AD groups - CSCul29675 New Authorization rule does not hold customize position This issue is due to some improper sort in xml content which has the policy contents. The fix has done the sort in proper to avoid the issue. - CSCul32497 ACS:"Clear filter" option doesn't show more than 200 authorization rules While clearing the filter, it is hard coded to fetch only 200 rules. Modified the code to fetch the rules based on rows length. - CSCul64484 ACSView NBAPI needs better debug logs The fix is to add more debug logs to ACS View NBAPI. This debug logs are related to input parameters received to NBAPI. This is helpful for TAC or DE whether ACS View NBAPI receives proper parameters from client or not. - CSCuh63873 ACS View should implement syslog over TLS/TCP Log collector now listens on secure tcp port as well. If this option is selected, log collector will receive all the messages securely. The issuer of the sender's management certificate must be trusted by the log collector. - CSCum03625 ACS 5.4 - Cross - Site Scripting Vulnerability Here the issue is related to RSA page. To prevent XSS injection, added Validation code to handle the reported issues. - CSCum13044 ACS 5.5. subject not found on AD after password change With this fix, there will be no connectivity lost between ACS and domain after "change password" enable and password is changed successfully. - CSCuj94585 AD authentication fails when same user resides in different OUs When same user resides in two different OU then one of the user authentication fails. This issue is addressed in AD client and it works for Windows 2008 and in the latest Windows versions of AD Server(s). As a part of this fix the adclient cache is cleared during the AD client startup, which may result in making the initial AD authentications slower. This issue is not addressed for Windows 2003 AD. - CSCuj01135 AD client exception while talking to LDAP server The crash occurred while adclient was rebuilding its trusted domain map by contacting GC's. This issue is fixed in third party AD client code. - CSCum26584 After upgrade 5.5, some GUI functions don't work with multiple CLI admin The GUI operations such as supportbundle collection, secheduled backup of ACS and view works as expected. Note : If you have CLI admin user name called "acsuser" created, please remove the user, because this user name is used in ACS 5.5 as system user. - CSCum68228 ACS 5.5 internal user password change failure during CSV template import - CSCum86948 ACS5: Change password length min range to 4 In ACS 5.5, we have modified minimum length of the password from 4 to 8 but this had impact on existing users who already have password length less than 8 char. This fix allowes the internal users to have minimum password length to 4. The customer will be able to migrate and import/update users with password length minimum 4 char. Note: After applying this page configure "Minimum Length: 4 characters" under "System Administration > Users > Authentication Settings" page in ACS before migration or starting to import internal user data with minimal password length. - CSCum86626 After upgrade acs 5.5 secondary server cannot register to primary server This addresses the registrations issues that were seen in deployment after upgrading to 5.5 where servers are located in remote networks. This fix ensures to open the required ports internally upon receiving the registration request from another server. - CSCum51180 ACS 5.4: Tune alarm about config db size to display only when over 1G With this fix, there will be alarm if physical size of ACS configuration database physical size exceeds its actual size by more than 1 GB. - CSCty13296 Chpass csv import doesn't verify the user's password validity This fix will do check for password history during user update via CSV file in import. Given password should not be same as recent password in the history. It will also fix the issue for prompt to change the password even though change password option is not set in the GUI. - CSCum67932 ACS 5.5 not starting after upgrade due to unknown encryption algorithm This fix will modify the database encryption algorithm to FIPS complaint algorithm if it was set to simple in customer database so that services will be started after applying this patch. - CSCun37608 Secondary ignores new Primary if the old one comes online This fix addresses the issue of secondary servers ignoring new primary or break down of replication with other secondary servers when the old primary comes back on line . The old primary which was offline during promotion of new secondary will be removed from the deployment automatically to prevent any further communication of that particular node with nodes in current deployment . once it comes back online it need to be registered back to the deployment. - CSCun85949 ACS5.5: Failed starting the services if attribute 150,151,152 configured With this fix, (a)runtime service will be up after restore 5.3/5.4 backup having Vendor ID - 3076 attributes 150/151/152 with diferent attribute names. (b) ACS services will be up after restore 5.3/5.4 backup having Vendor ID - 3076 attributes 150/151/152 with same attribute names. - CSCun71995 NDG:Location not showing up on GUI With this fix, NDG options like location/Device type drop downs are displayed properly. - CSCun67769 Creating or editing "Favorites" failing when attribute length more The favorite reports can be create for attibute with more lengh for example, Failure reason with "24405 Active Directory operation failed because of a timeout error" - CSCun81726 ACS 5.5 not able to retrieve userAccountControl attribute from AD with this fix this "userAccountControl" attribute can be retrieved from AD. - CSCun92213 ACS 5.x opens to many TCP connections to Oracle DB If the remote database export ( either Oracle or MSSQL) is configured, ACS will not establish more TCP connections with external database servers. The established connections are closed once the export operation is completed. - CSCun98622 Exporting MAC Address from End Station Filter causes auto logout The inconsistent issue of ACS getting logout during "Export to file/Replace from File" operation under End Station Filter is addressed as a part of this fix. - CSCtx99385 ACS Incorrectly Reports Incremental Backup Not Configured alert ACS reports " Incremental backup not configured" alert only when incremental backup is not configured. - CSCuo54517 - Override Global Log Configuration Fails With this fix customer should be able to configure Log Override configuration on per instance basis - CSCuo63302 - ACS 5.3 Change password of a cloned user via REST Services fails This fix address the issue for duplicating functionality of users which are having configurable attribute. The same fix resolves the user update such as change password and user updates in REST client.. - CSCuo19733 - ACS 5.5 View report custom start-end queries last 500 pages of day only This fix address the issue of fetching the data based on the time stamp and then filter top 25,000 records. It is applicable for authorization and authentication for Radius and TACACS report. - CSCuo78625 - ACS 5.5 TACACS Shared Secret - Special Character Problem This fix allows to add single and double quotes(' and '') in TACACS and RADIUS shared secret. - CSCuj41395 - Cust DB: KRON cli is getting added in "sh run" cli for service restart With this fix, the scheduled backup configuration added via GUI would be added only once in CARS CLI. It will fix the multiple adding of same configuration in CLI - CSCuo88797 - ACS 5.x should display message if unsupported browser is used for GUI With this fix customer can know whether the browser used to access ACS GUI was supported or not and more info gives the list of supported browsers - CSCuo82841 - ACS 5.5 mandates a secret key for tacacs aaa clients” This fix allows the page to get submitted with tacacs aaa client secret key as optional - CSCuo60270 - ACS fails to join AD domain with a large number of domain controllers With this fix ACS should be able to join AD domain with large number of domain controllers - CSCum60476 - ACS 5.4 not fetching the internal groups With this fix PAP authentication should be successful in case of change password option enabled in ACS for the internal users, provided the credentials are correct - CSCun05712 - ACS RSA agent exhausted under heavy load This fix addresses the RSA agent thread exhaustion issue under heavy load. Runtime should not get restarted and RSA agent should not hang when it is heavily loaded - CSCuo68704 - Improve CheckStatus Monitoring Functionality in ACS This fix improves the check status monitoring functionality of the registered ACS nodes - CSCuo88163 - Getting Users object using PI on ACS 5.5 not working With this fix default value of the date exceeds option is made to send as part of the user objects PI response if the date exceeds option is not set - CSCuo93378 - Certain browsers cause ACS database corruption Using unsupported browser while configuring policy on ACS was corrupting ACS database. Now, the policy will be validated and proper error will be thrown to make sure the DB is not getting corrupted even though unsupported browser is used. - CSCup34695 - ACS 5.5 Remote export Fails due to mismatched Data Types This fix addresses the remote data export issue due to mismatched data types. Report data export should be successful. - CSCup77077 - ACS 5.5 not getting userAccountControl AD attribute after LRPC conn fail With this fix userAccountControl AD attribute is properly retrieved even after LRPC conn failure - CSCuq00890 - ACS 5.x: Unexpected behaviour with replication due to HALT command With this fix, if the primary is issued with HALT comand and when we promote one of the secondary as parimary then all the ACS servers in the deployment should get updated with the new primary IP properly and there should not be any issues in replication - CSCtx65471 Log collector reload on deployment setup stopping syslog The logging continue to happen after reload/reboot of the system. - CSCup75144 Authorization policy fail to load with IE 11 This fix addresses the IE 11 specific issues seen in access service and other pages. - CSCur00511 ACS evaluation for CVE-2014-6271 and CVE-2014-7169 This fix addresses the vulnerabilities identified in the bash shell by upgrading to required system libraries. As this patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot option while patch installation process prompts for it. Known Issues: ============ CSCum82201 Logcollector service type not revertback to defaults after patch removal CSCum00128 In IE 11 Submit & cancel button is in disabled state for alarms page Version details after installing the patch: #show application version acs Cisco ACS VERSION INFORMATION ----------------------------- Version : 5.5.0.46.6 Internal Build ID : B.723 Patches : 5-5-0-46-6 Instructions on how to install the patch ================================= 1. open CLI console 2. define new repository in which the 5-5-0-46-6.tar.gpg resides 3. issue: 'acs patch install 5-5-0-46-6.tar.gpg repository YOUR_REPOSITORY' 4. verify installation by getting the following version information via CLI by issuing: #show application version acs Cisco ACS VERSION INFORMATION ============================= Version : 5.5.0.46.6 Internal Build ID : B.723 Patches : 5-5-0-46-6 Instructions on how to remove the patch =================================== 1. open CLI console 2. issue: 'acs patch remove 5-5-0-46-6' 3. verify patch removal by getting the following version information via CLI by issuing: #show application version acs ( The version will be ACS 5.5 FCS) Cisco ACS VERSION INFORMATION ============================= Version : 5.5.0.46 Internal Build ID:B.723 ======================================================================= Copyright (C) 2014 Cisco Systems, Inc. All rights reserved. Cisco and Cisco Systems are registered trademarks of Cisco Systems,Inc., in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. =======================================================================