First Published: November 19, 2024

The Cisco Crosswork Network Controller 5.0.4 includes individual component files that fix key customer found issues and security vulnerabilities. This document describes the resolved bugs and how to install the patch.

If you have additional questions not addressed in this document, contact Cisco Customer Experience.

Resolved bugs

The Cisco Crosswork Network Controller 5.0.4 patch resolves these Cisco Crosswork Network Controller bugs:

See Find additional bug details section on how to use the Cisco Bug Search Tool.

Table 1. Crosswork Infrastructure

Bug ID

Bug description

CSCwk19297

Web socket notifications are not properly working

CSCwm41049

Vulnerability observed in org.postgresql:postgresql CVE-2024-1597 reported by Trivy scan found in Crosswork Network Controller

CSCwi87019

Vulnerabilities found in shiro 1.12.0 CVE-2023-46749
Table 2. Element Management Functions

Bug ID

Bug description

CSCwk80216

Multiple common vulnerablities and exposurse (CVE) observed for Element Mangement Functions (EMF) 5.0.4

CSCwj64401

Vulnerabilities found in jsch 0.1.55

CSCwj70313

Vulnerabilities found in netty 4.1.100.Final

CSCwj70316

Vulnerabilities found in castor 1.3
Table 3. Crosswork Optimization Engine

Bug ID

Bug description

CSCwh33144

Bandwidth on demand (BWOD) update in Crosswork Network Controller failed with an error while the UI hangs and is unresponsive
Table 4. Crosswork Change Automation

Bug ID

Bug description

CSCwk76230

In Crosswork Network Controller, vulnerabilities were observed in NCA 4.4.4, 5.0.3, 6.0.x; requests 2.22.0, 2.26.0, as well as urllib3 1.25.8, 1.26.10

CSCwk77630

Vulnerabilities found in jinja 3.0.2 CVE-2024-34064 in 5.0.3

CSCwk77844

Vulnerabilities found in libyaml 0.2.5 CVE-2024-35329 and others in Crosswork Network Controller
Table 5. Crosswork Zero Touch Provisioning

Bug ID

Bug description

CSCwj49744

Vulnerabilities found in spring-framework 6.0.17 CVE-2024-22259

CSCwj42800

Vulnerabilities found in tomcat 10.1.16 CVE-2024-24549, as well as others found in Crosswork Network Controller

CSCwj71377

Vulnerabilities found in zookeeper and guava

CSCwj80191

Vulnerabilities found in netty 4.1.107.Final CVE-2024-29025

CSCwm38863

Vulnerabilities found in spring-framework 5.3.37 CVE-2024-38808

CSCwj09052

Vulnerabilities found in snappy-java 1.1.8.4 CVE-2023-34455
Table 6. Crosswork Infrastructure (MOP)

Bug ID

Bug description

CSCwk38351

In the Crosswork Network Controller UI, health degraded events are generated for orchestrator pods randomly

Find additional bug details

You can use the Cisco Bug Search Tool to see additional details for selected bug IDs listed in the Cisco Crosswork Network Controller 5.0.4 component tables.

  1. Go to the Cisco Bug Search Tool.

  2. Enter your registered Cisco.com username and password, and click Log In.

    The Bug Search page opens.


    Note

    If you do not have a Cisco.com username and password, you can register here.

  3. From the Product list, select Cloud and Systems Management > Routing and Switching Management > Cisco Crosswork Network Automation.

  4. Enter 5.0.4 in the Release field.

  5. (Optional) You can enter additional criteria (such as bug ID, problem description, a feature, or a product name) in the Search For field.

  6. Click Search. When the search results are displayed, use the filter tools to narrow the results. You can filter the bugs by status, severity, and so on.


Note

To export the results to a spreadsheet, click Export Results to Excel.

Patch installation workflow

This section provides the high-level workflow for installing the Crosswork Network Controller 5.0.4 patch.

You can upgrade to Crosswork Network Controller version 5.0.4 from either version 5.0.0 or 5.0.3.

Table 7. Patch Installation Workflow

Step

Action

1. Compare the versions of your current Crosswork applications with the new patch versions to determine which applications need an upgrade. Download the patch versions only for the applications you need.

See Download Cisco Crosswork Network Controller 5.0.4 component patch files for more information.

2. Ensure that your environment meets all the installation prerequisites.

Refer to the guidelines in Patch installation prerequisites.

3. Extract and validate the Crosswork Network Controller 5.0.4 patch files.

Refer to the guidelines in Extract and validate 5.0.4 patch files.

4. Copy and execute the Crosswork Infrastructure MOP script.

Refer to the guidelines in Copy and execute the Crosswork Infrastructure MOP.

5. Add and install the 5.0.4 patch files in the Crosswork Network Controller UI.

Refer to the guidelines in Add and install 5.0.4 patch files.


Important

Ensure you execute the Crosswork Infrastructure MOP before starting the disaster restore process with the 5.0.4 patch, as failing to do so may cause the Element Management Functions pods to go down after the disaster restore.

Download Cisco Crosswork Network Controller 5.0.4 component patch files

This section provides the overview and installation sequence of all the component patch files released in the Crosswork Network Controller 5.0.4 release. Please note that some patch files may be optional for your specific needs.

Please review the list and download all the required patch files from the Cisco Software Download page to a local machine.

  1. (Mandatory) Crosswork Infrastructure MOP file: signed-cw-na-infra-5.0.4-MOP-241015.tar.gz

  2. (Mandatory) Crosswork Infrastructure: signed-cw-na-infra-patch-5.0.4-28-release-241105.tar.gz

  3. (Mandatory) Crosswork Optimization Engine: signed-cw-na-coe-patch-5.0.4-11-release-240930.tar.gz

  4. (Mandatory) Crosswork Active Topology: signed-cw-na-cat-patch-5.0.4-3-release-241016.tar.gz

  5. (Mandatory) Element Management Functions: signed-cw-na-common-ems-services-patch-5.0.4-205-releaseems504-241018.tar.gz

  6. Crosswork Service Health: signed-cw-na-aa-patch-5.0.4-2-release-241024.tar.gz

  7. Crosswork Change Automation: signed-cw-na-ca-patch-5.0.4-13-release-241025.tar.gz

  8. Crosswork Health Insights: signed-cw-na-hi-patch-5.0.4-8-release-241023.tar.gz

  9. Crosswork Zero Touch Provisioning: signed-cw-na-ztp-patch-5.0.4-11-releaseztp500-241001.tar.gz

Patch installation prerequisites

This section describes the installation prerequisites needed to install the Crosswork Network Controller 5.0.4 patch.

  • Ensure that you have your Cisco Crosswork Administrator user credentials.

  • Ensure that you have the Management IP address used for your Crosswork VM deployment.

  • Take a backup of your data. Additionally, ensure that the server being patched has sufficient space to unarchive and copy the MOP scripts. Please make sure to clean up at least 5GB of space in the /home/cw-admin/ directory and 1GB of space in the /tmp/ directory to prevent any space constraints during script execution.

  • Ensure that your local machine, where the patch files are downloaded, is accessible via scp by Crosswork Network Controller.


Caution

The upgrade process is disruptive and should be performed during a maintenance window. The time required for the applications to restart is typically less than 30 minutes per application. If you encounter any error while installing the patch, contact the Cisco Customer Experience team before attempting to move forward with the next step.

Extract and validate 5.0.4 patch files

This section explains how to extract and validate the downloaded 5.0.4 patch files. Repeat these steps for each 5.0.4 patch file you plan to install.


Attention

It is crucial that you extract the .tar.gz file from the signed file. You must add and install this specific file through the Crosswork Network Controller UI.

Procedure

Step 1

After downloading the patch file, navigate to the folder where the tar file was downloaded. As an example, consider the Crosswork Infrastructure signed patch image (signed-cw-na-infra-patch-5.0.4-28-release-241105.tar.gz) for this procedure.

cd <folder where the tar file was downloaded>

Step 2

Extract the file using this command.

tar -xzvf <signed image file>

Example:

tar -xzvf signed-cw-na-infra-patch-5.0.4-28-release-241105.tar.gz

The file unpacks into the patch and the necessary tools to validate its contents.

Output: 
README
cw-na-infra-patch-5.0.4-28-release-241105.tar.gz
cw-na-infra-patch-5.0.4-28-release-241105.tar.gz.signature
CW-CCO_RELEASE.cer
cisco_x509_verify_release.py3

Step 3

Validate the extracted patch file using this command.

python3 cisco_x509_verify_release.py3 -e <.cer file> -i <.tar.gz file> -s <.tar.gz.signature file> -v dgst -sha512

Important

 

You must include this command as a single line, and the tool will wrap it according to the screen width.
Example:
python3 cisco_x509_verify_release.py3 -e CW-CCO_RELEASE.cer -i cw-na-infra-patch-5.0.4-28-release-241105.tar.gz -s cw-na-infra-patch-5.0.4-28-release-241105.tar.gz.signature  -v dgst -sha512

Output:

Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from CW-CCO_RELEASE.cer.
Successfully verified the signature of cw-na-infra-patch-5.0.4-28-release-241105.tar.gz using CW-CCO_RELEASE.cer

Copy and execute the Crosswork Infrastructure MOP

This section explains how to copy and execute the Crosswork Infrastructure 5.0.4 MOP file.

Before you begin

Ensure you have extracted and validated the Crosswork Infrastructure MOP, cw-na-infra-5.0.4-MOP-241015.tar.gz, using the instructions in Extract and validate 5.0.4 patch files.

Procedure

Step 1

Copy the extracted MOP file using the VIP address to /home/cw-admin/ folder on one of the Crosswork hybrid nodes.

scp {MOP file} cw-admin@{Crosswork VIP Address}:/home/cw-admin/

Example:
scp cw-na-infra-5.0.4-MOP-241015.tar.gz cw-admin@10.10.10.10:/cw-admin/home/

Step 2

SSH into the Crosswork hybrid node where you copied the files, and change to root using sudo su - command.

Step 3

Extract the MOP file:

Example:

cd /home/cw-admin
tar -xzvf cw-na-infra-5.0.4-MOP-241015.tar.gz

Output:

signed-cw-na-k8s-orchestrator-5.0.4-8-release-241015.tar.gz
update_orch.sh
nbi_patch.sh

Step 4

Update the permissions.

chmod 755 update_orch.sh

Step 5

Run the script file.

./update_orch.sh

When you run the script you will be asked for the password for the cw-admin user account.

Note

 

Do not enter the password more than once even if you are prompted repeatedly to do so. The script will reuse the password that it read from the earlier input.

Wait 10 to 15 minutes for the update to complete and verify that system is healthy.

Add and install 5.0.4 patch files

This section explains how to add and install the 5.0.4 patch files in the Crosswork Network Controller UI.


Note

The upgrade patch is supported only if the corresponding 5.0.x file is installed.

Before you begin

Ensure you have extracted and validated the required 5.0.4 patch files using the instructions in Extract and validate 5.0.4 patch files.

Procedure

Step 1

Click on Administration > Crosswork Management, and select the Application Management tab. The Crosswork Platform Infrastructure and any applications that are added are displayed here as tiles.

Step 2

Click on the Add File (.tar.gz) option to add the patch file that you extracted. As an example, consider the Crosswork Infrastructure patch file, cw-na-infra-patch-5.0.4-28-release-241105.tar.gz for this procedure.

Attention

 

It is crucial that you extract the .tar.gz file from the signed file. You must add and install this specific file through the Crosswork Network Controller UI.

The Add File (tar.gz) via Secure Copy popup window is displayed.

Step 3

Enter the relevant information and click Add.

Step 4

Once the patch file is added, you can observe the existing application tile displaying an upgrade prompt. Click the upgrade prompt to install the patch file.

In the Upgrade pop-up screen, select the new version that you want to upgrade to, and click Upgrade. Click on Job History to see the progress of the upgrade operation.

Step 5

After the installation is complete, go to Administration > Crosswork Manager and confirm all of the applications are reporting a Healthy status.

Note

 

It is expected that some processes will be reported as unhealthy or degraded as the upgrade is deployed (an updated status may take up to 30 minutes before reporting). If, after 30 minutes, the status does not change to Healthy, contact your Cisco Customer Experience representative. It is recommended to wait until the system is back to Healthy status before proceeding to install the next patch file.

Step 6

Repeat steps 1 to 5 to add and install the remaining Crosswork application patch files that you need.

Step 7

If the UI becomes unresponsive, perform the following:

  • Verify that the robot-ui pod is up using the below command:

    kubectl get pods | grep robot-ui

  • If no pods are listed in the above command, execute the below script to enable robot-ui: 

    kubectl exec -it -n kube-system $(/opt/robot/bin/orchleader.sh) -- bash
robotctl dunit start pod-du-ui

    Wait for the response "dunit is successfully started" and exit.

If dg-manager is down:

  • Verify that the dg-manager is not present using the below command: kubectl get pods | grep dg-manager

  • If no pods are listed in the above command, execute the below script to enable dg-manager: 

    kubectl exec -it -n kube-system $(/opt/robot/bin/orchleader.sh) -- bash
robotctl dunit start pod-du-dgmanager

    Wait for the response "dunit is successfully started" and exit.