The purpose of this patch is to address the GLIBC vulnerability listed in CVE-2015-7547 for the Cisco Nexus 9000 and Cisco Nexus 3000 Series switches running the 7.0(3)I2(2a) release software.
Note: Documentation for Cisco Nexus 9000 and Cisco Nexus 3000 Series switches running the 7.0(3)I2(2b) release can be found here:
Further details about the CVE-2015-7547 vulnerability can be found here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc .
Table 1 shows the online change history for this document.
Table 1. Online History Change
Date |
Description |
March 15, 2016 |
Created the release notes for Cisco NX-OS Patch Release 7.0(3)I2(2a). |
Obtaining Documentation and Submitting a Service Request
This release includes patches for the modular and ToR products listed in this section.
The modular products require two patches. See the Patch Files section for more information.
■ Cisco Nexus 9504 Switch
■ Cisco Nexus 9508 Switch
■ Cisco Nexus 9516 Switch
The ToR products requires one patch. See the Patch Files section for more information.
■ Cisco Nexus 3016 Switch
■ Cisco Nexus 3048 Switch
■ Cisco Nexus 3064 Switch
■ Cisco Nexus 3064-T Switch
■ Cisco Nexus 3132Q Switch
■ Cisco Nexus 3132Q-V Switch
■ Cisco Nexus 3132Q-XL Switch
■ Cisco Nexus 3164Q Switch
■ Cisco Nexus 3172 Switch
■ Cisco Nexus 3172PQ-XL Switch
■ Cisco Nexus 3172TQ Switch
■ Cisco Nexus 3172TQ-32T Switch
■ Cisco Nexus 3172TQ-XL Switch
■ Cisco Nexus 93120TX Switch
■ Cisco Nexus 93128TX Switch
■ Cisco Nexus 9332PQ Switch
■ Cisco Nexus 9372PX Switch
■ Cisco Nexus 9372PX-E Switch
■ Cisco Nexus 9372TX Switch
■ Cisco Nexus 9396PX Switch
■ Cisco Nexus 9396TX Switch
This release includes the patches listed in this section. For the list of supported modular and ToR products, see Supported Products.
The patch files for the platforms can be downloaded from the Software Download Center for the respective platforms with a valid CCO account. Here is a direct link:
Table 2 Release 7.0(3)I2(2a) Patch Files
Platform |
Patch File |
Requires Reload |
Modular |
nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm |
No |
nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm |
Yes |
|
ToR |
nxos.CSCuy36553_TOR-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm |
Yes |
This section explains how to apply the modular and ToR patches for this release. Please make sure you save any config change before applying this patch.
For more information on applying patches, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide.
Note: Save any config changes before applying the patches.
This section explains how to apply the modular patches (SUP and line card). These patches apply to the Cisco Nexus 9508, 9504, and 9516 Series switches.
Note:
■ The ToR patch cannot be applied on a SUP or line card.
■ The nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm patch must be added before the nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm patch
Step 1. Add the SUP and line card patches to the test bed (the SUP patch must be added first):
install add nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm
install add nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm
Step 2. Verify that the patches were properly added:
show install inactive
Step 3. Activate the SUP patch first:
install activate nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000
Step 4. Verify that the SUP patch is listed in the Active Packages list:
show install active
Step 5. Commit the SUP patch:
install commit
Step 6. Verify that the SUP patch is listed in the Committed Package list:
show install committed
Step 7. Activate the line card patch:
install activate nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000
Note: When prompted to reload, answer Yes.
Step 8. After the system comes online, commit the line card patch using CLI below. Failing to do this step will not make line card patch persistent:
install commit
Step 9. After committing the line card patch, verify that both patches are activated and committed:
show install active
show install committed
This section explains how to apply the ToR patch.
Note: The modular patches cannot be applied on a ToR.
Step 1. Add the ToR patch to the test bed:
install add nxos.CSCuy36553_TOR-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm
Step 2. Activate the ToR patch:
install activate nxos.CSCuy36553_TOR-1.0.0-7.0.3.I2.2a.lib32_n9000
Step 3. Commit the ToR patch:
install commit
Step 4. Verify that the ToR patch is listed in the Active Packages list:
show install active
Step 5. Verify that the ToR patch is listed in the Committed Package list:
show install committed
Step 6. Manually reload the ToR patch:
reload
Step 7. After the reload, verify that the patch has been activated and committed:
show install active
show install committed
This section explains how to verify that the patches for this release were applied successfully.
Step 1. With feature bash enabled, go to root:
run bash sudo su
Step 2. Grep “libc6”:
yum list | grep libc6
Note: The Step 2 output without the patch:
libc6.lib32_x86 2.15-r14 installed
libc6.x86_64 2.15-r14 installed
libc6-utils.x86_64 2.15-r14 installed
Note: The Step 2 output with the patch:
libc6.lib32_x86 2.15+4.6a+127-r15 @/libc6-2.15+4.6a+127-r15.lib32_x86
libc6.x86_64 2.15+4.6a+127-r15 @/libc6-2.15+4.6a+127-r15.x86_64
libc6-utils.x86_64 2.15-r14 installed
This section explains how to deactivate the patches for this release.
Note: Deactivating the patches is not recommended.
This section explains how to deactivate the modular patches. These patches apply to the Cisco Nexus 9508, 9504, and 9516 Series switches.
Note: The nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm patch must be removed before the nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm patch.
Step 1. Deactivate the line card patch:
install deactivate nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000
Note: When prompted, answer Yes to reload the test bed.
Step 2. Deactivate the SUP patch and commit the change:
install deactivate nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000
Step 3. Commit the change:
install commit
Step 4. Remove the inactive SUP and line card patches:
install remove inactive
Step 5. Verify the patches were removed:
show install inactive
Step 6. Perform a reload:
reload
This section explains how to deactivate the ToR patch.
Step 1. Deactivate the ToR patch:
install deactivate nxos.CSCuy36553_TOR-1.0.0-7.0.3.I2.2a.lib32_n9000.rpm
Note: When prompted, answer Yes to reload the test bed.
Step 2. Perform a manual reload:
reload
Step 3. Commit the change:
install commit
Step 4. Remove the inactive ToR patch:
install remove inactive
Step 5. Verify that the deactivation was successful:
show install inactive
Step 6. Perform a manual reload:
reload
Customers not using the guest shell feature can destroy guest shell by using the guestshell destroy command as shown below:
switch#guestshell destroy
You are about to destroy the guest shell and all of its contents. Be sure to save your work. Are you sure you want to continue? (y/n) [n] y
switch#
The steps in this section are applicable for users using guest shell functionality. Use the following procedure to upgrade guest shell.
Step 1. Go to guest shell:
guestshell
Step 2. Change your VRF context where you have connectivity to yum repository:
chvrf <vrf> sudo yum -y update glibc
Step 3. Verify that the GLIBC release number is at least 2.4:
yum list installed | grep glibc
glibc.x86_64 2.17-106.el7_2.4 @updates
glibc-common.x86_64 2.17-106.el7_2.4 @updates
Step 4. Verify the CVE (Common Vulnerability and Exposures) has been fixed in the newly updated GLIBC RPM by issuing the following command inside the guest shell:
rpm -q -changelog glibc | grep CVE-2015-7547
CVE-2015-7547 fix (#1296030).
- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296030).
This section includes the Open Caveats, Resolved Caveats, and Known Behaviors sections.
■ Resolved Caveats—Cisco NX-OS Patch Release 7.0(3)I2(2a)
■ Open Caveats—Cisco NX-OS Patch Release 7.0(3)I2(2a)
Table 3 lists the Resolved Caveats in Cisco NX-OS Patch Release 7.0(3)I2(2a). Click the bug ID to access the Bug Search tool and see additional information about the bug.
Table 3 Resolved Caveats in Cisco NX-OS Patch Release 7.0(3)|2(2a)
Bug ID |
Description |
The Cisco Nexus 3000 Series switches listed below that are running Cisco Nexus 9000 Series NX-OS software include a version of GLIBC that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID number CVE-2015-7547. ■ Cisco Nexus 3016 Switch ■ Cisco Nexus 3048 Switch ■ Cisco Nexus 3064 Switch ■ Cisco Nexus 3064-T Switch ■ Cisco Nexus 3132Q Switch ■ Cisco Nexus 3132Q-V Switch ■ Cisco Nexus 3132Q-XL Switch ■ Cisco Nexus 3164Q Switch ■ Cisco Nexus 3172 Switch ■ Cisco Nexus 3172PQ-XL Switch ■ Cisco Nexus 3172TQ Switch ■ Cisco Nexus 3172TQ-32T Switch ■ Cisco Nexus 3172TQ-XL Switch ■ Cisco Nexus 93120TX Switch ■ Cisco Nexus 93128TX Switch ■ Cisco Nexus 9332PQ Switch ■ Cisco Nexus 9372PX Switch ■ Cisco Nexus 9372PX-E Switch ■ Cisco Nexus 9372TX Switch ■ Cisco Nexus 9396PX Switch ■ Cisco Nexus 9396TX Switch ■ Cisco Nexus 9504 Switch ■ Cisco Nexus 9508 Switch ■ Cisco Nexus 9516 Switch This information is disclosed in http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc. |
For a list of open caveats, see .the Cisco Nexus 9000 Series NX-OS Release Notes for Release 7.0(3)I2(2a).
The entire Cisco Nexus 9000 Series NX-OS documentation set is available at the following URL:
The Cisco Nexus 3164Q Switch - Read Me First is available at the following URL:
The Cisco Nexus 3232C and 3264Q Switch Read Me First is available at the following URL:
No new documentation for this release.
To provide technical feedback on this document, or to report an error or omission, please send your comments to nexus9k-docfeedback@cisco.com. We appreciate your feedback.
For information on obtaining documentation and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Open a service request online at:
https://tools.cisco.com/ServiceRequestTool/create/launch.do
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco Nexus 9000 Series NX-OS Release Notes, Patch Release 7.0(3)I2(2a)
© 2016 Cisco Systems, Inc. All rights reserved.