TEALTHWATCH SYSTEM VERSION ELEASE OTES · opatch-fcnf-ROLLUP006-6.8.4-01.swu or later l Due to...

STEALTHWATCH® SYSTEM VERSION 6.9.3 RELEASE NOTESThis document provides the following information:

l Fixes for issues reported by customers including previous releases: o Version 6.9.3 o Version 6.9.2 o Version 6.9.1 o Version 6.9.0

l Issues known to exist in this release.

For all features included in Stealthwatch v6.9, refer to the release notes for each previous version: v6.9.0, v6.9.1, and v6.9.2.

For a list of alarm types and their IDs, access the Alarm IDs v6.9.0 file. You can also access this document via the Alarm List topic in the SMC Client Interface online help.

For additional information about the Stealthwatch System, go to the Lancope Customer Community.

Important: l If you currently do not have pxGrid configured, then when you update to

Stealthwatch v6.9.3 you must reconfigure Cisco ISE. (If you configured pxGrid in Stealthwatch 6.8.x, then your configuration will be copied forward to Stealthwatch v6.9.3.)

l Before upgrading your system from v6.8.3/v6.8.4 to v6.9.3, install the fol-lowing rollup patches. (See Known Issues for more information.)

l v6.8.3: o patch-smc-ROLLUP015-6.8.3-01.swu or later o patch-fcnf-ROLLUP013-6.8.3-01.swu or later

l v6.8.4: o patch-smc-ROLLUP007-6.8.4-01.swu or later o patch-fcnf-ROLLUP006-6.8.4-01.swu or later

l Due to changes with APIs, customers running the Host Group Automation Service require a service software upgrade. Please contact See "Contacting

RELEASE NOTES | Stealthwatch System v6.9.3

© 2018Cisco Systems, Inc. All Rights Reserved.

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_6_9_0_Release_Notes_DV_1_6.pdf



https://lancope.my.salesforce.com/sfc/p/#300000000QWy/a/380000008soD/uijAEnaE79oRDYRanpFLJBTS6KxuwJTbUWMKpKsrz4c

https://lancope.force.com/Customer/CustomerCommLogin


Support" for upgrade assistance. l For enhanced security, before you add a Flow Collector or Flow Sensor in

the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Man-agement Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Con-sole VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide.

l For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

Notes: l This document uses the term "appliance" for any Stealthwatch System product,

including virtual editions (VEs) such as the Flow Collector VE. l The Stealthwatch System requires Java version 8 (v1.8) or later. l The Stealthwatch System requires TLS v1.1 or later. l The Stealthwatch System supports Internet Explorer v11 and later. l For this release, the security category point contributions have been recalibrated.

After updating to v6.9.3 from v6.8.x, it could take 10 days for the system to re-baseline the security categories. You may see an increase or decrease in alarms at first and then a gradual return to a more standard level. Upgrading from v6.9.0/v6.9.1/v6.9.2 to v6.9.3 will not cause a re-baselining of security categories.

l Where once the setting "disabled" for a security event disabled the event, now dis-abling will disable the alarm.

l To view the supported hardware platforms for each system version, refer to the Hard-ware and Version Support Matrix on the Customer Community.

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference.


2 © 2018Cisco Systems, Inc. All Rights Reserved.

https://lancope.my.salesforce.com/sfc/p/#300000000QWy/a/380000008smW/Dz_RkoSsdFiP0eCyLeodwcAj7F3gw87OyMEDYXpziH0

https://lancope.my.salesforce.com/sfc/p/#300000000QWy/a/380000008smW/Dz_RkoSsdFiP0eCyLeodwcAj7F3gw87OyMEDYXpziH0

https://lancope.my.salesforce.com/sfc/p/#300000000QWy/a/380000008smR/kqklEqCZ_6TpNfqu_eJK9T0wy1ve6i6DYP7Sn8p4Q58

https://lancope.force.com/Customer/kA750000000Gmbl

https://lancope.force.com/Customer/kA750000000Gmbl

Version 6.9.3

Defect Description LSQ

LVA-356 Security update for Wheezy: CVE-2017-10672 NA

LVA-358 Security update for Jessie: CVE-2017-14746, CVE-2017-15275 NA

SWD-8128 Creating a diagnostic pack on the Flow Collector Database node triggered DB Channel Down alarm.

We increased the session time-out period to avoid false DB Channel Down alarms.

LSQ-2755

SWD-8476 Added clarification for the database storage statistics in the SMC client interface online help.

LSQ-2820

SWD-9094 A quotation mark in the application detail column caused an error when exporting a flow table to a CSV file.

The application detail fields were updated to handle quotation marks.

LSQ-3086

SWD-9138 "String index out of range" error in Offline Activation dialog.

Improved exception handling to address the error and added an additional condition to verify the presence of a dash symbol.

LSQ-3124

SWD-9218 The UDP Director HA was not accepting a certain block of IP space.

Updated lib-ipaddress IPv4Address::isMulticast to include the 224.x.x.x and 239.x.x.x IP ranges.

LSQ-3122

SWD-9222 Updated the license failure message with the updated customer support inform-ation.

LSQ-3116

SWD-9229 The status for offline Exporters never changed from green.

The refresh logic was updated so the status for exporters is correct.

LSQ-3115

SWD-9289 The "export_delay" function was not working.

Increased the maximum limit for the field to one second and added a delay between every packet.

LSQ-3147

SWD-9301 Exporter list under Flow Collector disappears when an exporter is deleted.

The refresh logic was updated for exporters to prevent the exception from being thrown that caused the tree to be incorrectly painted.

LSQ-3109

SWD-9307 The Flow Data Lost alert emails contained the Flow Collector information where the Exporter was listed.

Fixed an issue where the device_ip_address column was updated with the Flow

LSQ-3114


© 2018Cisco Systems, Inc. All Rights Reserved. 3

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10672




Collector IP Address instead of the Exporter IP.

SWD-9359 Upgrading a Flow Sensor 250 caused the system to fail.

Added a safety check when trying to update a Flow Sensor 250 to v6.9.3.

LSQ-3173

SWD-9444 The Flow Collector engine had a SIGSEGV error at pool_exit in process_message.

A memory leak was found and fixed related to the deletion of exporters, and extra protection was put into place in the handling of the Service Bandwidth data structures.

LSQ-3196

SWD-9450 Interface utilization was high after upgrade.

Updated the SMC to properly update the interface information sent to the Flow Collector.

LSQ-3154

SWD-9465 The time slider on the Flow Search page was unresponsive.

Improved the UI code to avoid the page becoming unresponsive due to the HGA tree high load.

LSQ-3194

SWD-9490 The export button was cut off on the Flow Search page.

Updated the UI to handle resizing the browser window.

LSQ-3223

SWD-9494 The hostname field was missing from the HostAlarm structure in the MIB.

Added the missing field.

LSQ-3209

SWD-9495 When the NetFlow template did not contain input and output SNMP interface numbers, the Flow Collector engine was assigning these to SNMP interface 1.

The engine code was changed to stop assigning the SNMP 1 and assign this to a fictitious interface that is never exported out of the engine.

LSQ-3058

SWD-9502 The "more details" link on the UDP Director admin page disappeared once the page loaded.

Fixed the hyperlink to be consistent during and after page load.

LSQ-3224

SWD-9511 Newer ISR firewalls export firewall events with different formats than earlier versions.

Made changes to the NetFlow engine to honor the updated ISR template definitions so that the firewall "Denies" will now be processed correctly.

LSQ-3204

SWD-9515 The Flow Collector 5020 (NIC card: 0x800008a4) failed to load the 10G driver. LSQ-3235




Modified the grub configuration files to allow the Intel 10G network card to work with the Jessie kernel.

SWD-9524 The UDP Director device information column was not populating when the Management Channel Down alarm triggered.

Added the device type to the system_alarm table.

LSQ-3207

SWD-9559 The Flow Collector engine had a SIGSEGV error at search_threat_host.

Reworked threat feed code to minimize the locking time of the processing threads.

LSQ-3208

SWD-9564 The Proxy Log Configuration Guide had a graphic error in the Configure the Upload Client section.

The port number was corrected in the graphic.

LSQ-3237

SWD-9566 The "Isof" process never finished running with 100% CPU usage when creating a diagnostic pack.

A 60 second timeout was added during diagnostic pack creation to avoid low memory issues.

LSQ-3228

SWD-9586 After upgrading host_policy.xml, the SMC was getting a NullPointerException during restart.

Added default tolerance settings to prevent the exception error.

LSQ-3264

SWD-9607 Added the "Peer Host Groups" option to the Manage Columns menu for the Top Conversations table.

LSQ-3266

SWD-9692 Fixed the Traffic by Peer Host Group display that was using the wrong timestamp for some archive hour settings.

LSQ-3277

SWD-9758 Effective Host Policy did not display the correct settings.

Updated the report to verify the Impact column check box before the Enable column check box.

LSQ-3303

SWD-9763 The SMC failed to request user information from Active Directory.

Updated the SMC to take the user information when the format is "domain\username" or "domain username".

LSQ-3262



Version 6.9.2


LVA-221 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow.

NA

STE-97 Updated Support Contact information within Stealthwatch. NA

SWD-7143 The lc_profiles process on the Flow Collector was very slow.

Revamped the host group lookup functionality to fix a bottleneck.

LSQ-2713

SWD-7735

SWD-8210

ISE "deviceType" and "Security Group ID" fields were empty.

Provided value to the fields from the applicable pxGrid fields.

LSQ-2880

SWD-8200 A Flow search with too many characters for a IP address range caused Vertica to crash.

Changed the logic around constructing IP range searches.

LSQ-2869

SWD-8314 The Flow Collector was not processing a non-zero DSCP field.

Added support for the DSCP field.

LSQ-2911

SWD-8317 External Lookup failed with a 500 internal server error.

Fixed the null pointer error when loading the External Lookup configuration page.

LSQ-2912

SWD-8323 The SMC was utilizing a high amount of memory.

We refactored the SMC client interface code to improve UI responsiveness.

LSQ-2904

SWD-8340 Disk expansion was not working on virtual appliances.

We modified the partitions to make sure /lancope/var partition was not mounted at resize_fs function, and we added the ability for the expandDataPartition to be able to run again and complete the operation if the previous version had failed.

LSQ-2913

SWD-8438 The Flow Collector saved flow records from one source ID and discarded records with the other source ID.

Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values.

LSQ-2557




SWD-8477 Vertica MergeOut process was very slow for the flow_stats table.

Added several Vertica database tuning parameters to remedy the ROS container backup problems.

LSQ-2935

LSQ-2963

SWD-8542 Security Event details were missing in web application interface.

Fixed an issue where Security Event details were always empty.

LSQ-2982

SWD-8559 The Online Help referred to an incorrect alarm name.

Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping".

LSQ-2989

SWD-8590 Tor traffic with no packets from server were alarming as "Successful".

The alarm was updated to "Attempted".

LSQ-2992

SWD-8591 The Flow Sensor eth4 log was showing an invalid pointer error.

Fixed the code to output the log message correctly.

NA

SWD-8598 The Flow Sensor 3000 was not processing packets with multilayer VLAN tags.

The engine has been modified to handle up to 4096 layered tags.

LSQ-2995

SWD-8629 The SMC client interface was missing the "user management" menu.

Updates users with "SMC manager" rights to have access to the "user management" menu.

LSQ-3013

SWD-8635 Cisco Senderbase links were incorrect on the External Lookup configuration page.

Fixed broken links.

LSQ-3002

SWD-8636 The Traffic by Peer Host Group component was not displaying flow information.

Updated the component to display flow data correctly.

LSQ-3005

SWD-8661 Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap.

LSQ-3022

SWD-8670 The support information updated for STE-97 was translated into Korean, Chinese, and Japanese.

NA




SWD-8689 "Client Port Filtering" was not working with Fast Query selected.

A query fix has been provided to make ‘Client Port Filtering’ work correctly, with or without enabling fast query.

LSQ-3031

SWD-8701 OVF resource defaults did not match documented minimums.

Updated the SMC and Flow Collector OVFs to 16 GB ram.

NA

SWD-8702 Unable to edit response management rules in the SMC client interface.

Fix added to handle null pointer errors when editing the rules in response management.

LSQ-3038

SWD-8708 TextCopyHandler failed to read files at /lancope/var/smc/tmp.

Scheduled reports temporary file handling process has been improved to avoid SQL errors.

LSQ-2987

LSQ-3048

SWD-8727 Top Alarming Hosts widget was not loading due to unknown host exception error.

The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database.

LSQ-2987

LSQ-3004

LSQ-3048

SWD-8771

SWD-8791

The MongoDB compact script failed to save SMC configuration.

Fixed a typo that caused the script to fail.

LSQ-3012

SWD-8807 The client interface would redirect the user to the license manager page on a licensed SMC.

Updated the code so that users are able to access the client interface on a properly licensed appliance.

LSQ-3124

LSQ-3132

LSQ-3133

SWD-8819 The Interface Service Traffic report was broken (LSQ-3066).

Corrected an issue with the database query group used by the report.

LSQ-3066

SWD-9515 The Flow Collector 5020 (NIC card: 0x800008a4) failed to load the 10G driver.

Modified the grub configuration files to allow the Intel 10G network card to work with the Jessie kernel.

Confirm all appliances have the latest patch files installed.

LSQ-3235

NA CTA could not be enabled on the Flow Collector 5000 series.

Created an API to handle the Flow Collector 5000 Database and Engine.

NA



Version 6.9.1


STE-84 Port number for the server and protocol information have been added to the Email Response.

NA

SWD-7120 In the SMC client interface, gaps appeared on the FlowCollector Trend chart on a Flow Collector running a Host Group Automation script.

Improved the process so that the host group updates would work without causing gaps in the Flow Collection Trend graphs.

LSQ-2462

SWD-7260 In the SMC client interface the Host Manager displayed duplicate entries.

New code has been written to transfer values from Java list object to Hash set object, which does not allow duplicates.

LSQ-2590

SWD-7322 The Flow Collector engine did not stop inserting data when the disk was 100% full.

Added code to disable the stats the database writes at maximum disk utilization and to trigger the performance degraded alarm.

LSQ-2606

SWD-7371 A false alarm that the License Term would expire in less than 3 days occurred after a Flow Sensor was added to a Flow Collector.

The code was updated to calculate the license expiration date correctly.

LSQ-2615

SWD-7411 The Flow Collector Database failed to back up admin hsql database when upgrading.

The directory permission is now handled automatically, which allows the backup of the hsql database.

LSQ-2433

SWD-7470 The SMC client interface contained settings which are no longer applicable.

VM Status and VM Server Status was removed from the Status drop-down menu.

NA

SWD-7525 After upgrade, deleted exporters caused error "Thread interrupted" to occur.

A bottleneck was discovered in the code and removed so that exporter deletions can be performed within a reasonable time period.

LSQ-2646

SWD-7540

SWD-7688

The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652




SWD-7541 The delete option for an SSL Client certificate did not work on a secondary SMC.

The fix was to allow the add/delete function for SSL client certificates in a secondary SMC.

LSQ-2626

SWD-7549 The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic.

We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations.

LSQ-2649

SWD-7599 There was a database backup return error on system configuration.

Updated the backup routines to handle file copies to CIFS destinations differently.

LSQ-2621

LSQ-2572

LSQ-2674

SWD-7615 The Hardware Configuration Guide had an error in the Configure Primary UDP Director section.

The guide was updated with the correct information.

LSQ-2679

SWD-7621 The Top Conversations Report was not returning all results when a host filter was used.

The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report.

LSQ-2593

SWD-7631 The Flow Collector's Vertica database was using all of it's memory.

We upgraded Vertica to fix issues with it consuming blocks of memory that it does not free until shutdown and issues with it allocating unused virtual memory.

LSQ-2698

SWD-7644 The Top Conversations transaction report was showing incorrect values.

A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report.

LSQ-2593

SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1.

The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC.

LSQ-2712




SWD-7676

Users could not create a diagnostics pack for an appliance.

The fix corrected an exception in the audit log when creating a diagnostics pack.

LSQ-2692

SWD-7689 The CPU average load calculation, on the SMC client interface dashboard, was incorrect.

The CPU average load has been updated to reflect the updated appliances.

LSQ-2677

SWD-7692 The Top Conversations Report did not return all results when filtering hosts.

In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors.

LSQ-2593

SWD-7708

SWD-8137

Users could not import of DAR and XML files to Document Builder.

Fixed an issue with launching a new report from document builder that has several pages that are named alphabetically.

LSQ-2738

SWD-7739 Tomcat socket got stuck on an IP address.

We implemented code to clear tomcat socket and firewall rule.

LSQ-2724

SWD-7765 Flow data queries across multiple Flow Collectors did not return consistent ordering.

The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results.

LSQ-2652

SWD-7787 The Flow Table Service Summary and Service Port columns had mismatched port addresses.

Fixed an issue where the service summary port was not updated to match the server port for certain flows.

LSQ-2710

SWD-7824 Flow query was failing for IPv6 IP address range 0000-FFFF.

The flow query filter has been corrected to recognize and search IPv6 input values.

LSQ-2613

SWD-7862 Associated flow table carried previous advanced filter values.

The Flow Table retain filter option has been excluded from the associated flow table.

LSQ-2709




SWD-7865 Stealthwatch Management Console had high memory usage for uWSGI appliance update process.

Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uWSGI UPServ application.

LSQ-2722

SWD-7939 Uploading certificates will continue to display error message even after subsequent successful uploads.

Stopped the service call whenever uploading invalid certificate so that the error does not persist after successful certificate upload.

LSQ-2862

SWD-7963 The client interface help was not showing topics when using the search tab.

Fixed encoding error caused by a tomcat update.

NA

SWD-8072 Top Reports returns more records than the set limit when there are two or more Flow Collectors.

The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors.

LSQ-2822

SWD-8089 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway.

LSQ-2652

SWD-8095 Unable to activate SLIC after recent update to proxy settings.

Added code to restart the tomcat process after updating proxy settings.

LSQ-2807

SWD-8107 Email notifications for scheduled documents were not being logged properly.

We fixed the log base path location from pointing to the incorrect directory.

LSQ-2834

SWD-8136 Cognitive Threat Analytics (CTA) API calls using JWT tokens were not being made correctly.

JWT tokens are now being passed through Authorization headers.

LSQ-2845

LSQ-2876

SWD-8182 UDP Director 2010 could not boot after upgrade.

Fixed an issue with the kernel upgrading process.

LSQ-2866

SWD-8239 Error when creating and configuring Custom Applications.

A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC.

LSQ-2765

LSQ-2829

LSQ-2865

LSQ-2893



Version 6.9.0


SWD-6607 Flow Collection drops for one minute when adding or editing custom applications.

We changed Application Definitions to perform the update at the beginning of the next minute instead of updating instantly to avoid gaps in flow collection.

LSQ-2052

SWD-6700 The SMC Client interface showed VM Server features.

We removed instances of the VM Servers in the SMC Client interface Enterprise Tree and Traffic menu.

LSQ-2201

SWD-6715 On the SMC the Flow Trend report for a Flow Collector but the other is indicating that there was "no data available."

We adjusted database queries used by the Flow Collection Trends report to allow larger values for the FPS and flow count values.

LSQ-2217

SWD-6726 In the SMC client interface, Flow Collector alarm details incorrectly displayed "I/O error."

The error message was changed to: "Unable to connect. Timeout waiting for connection."

LSQ-2170

SWD-6745 The Flow Collector crashed, and in the SMC Web App interface, the Flow Collection Trend had a 25-minute gap.

Additional protection against a future potential crash was added to string handling in the flows.

LSQ-2253

SWD-6777 A custom service that had been set to "Exclude Security Event" was still triggering Security Events.

We updated the code to fetch the required service details from the configuration file and use it for event triggering.

LSQ-2261

SWD-6823 The Flow Collector 5000 Engine node did not show its associated database node.

We added a link to the database node on the Flow Collector 5000 support page.

LSQ-2328

SWD-6824 The Flow Collector had performance problems.

Special handling was added for broadcast hosts to prevent thread contention.

LSQ-2026




SWD-6839 The Flow Collector Database Storage Statistics showed incorrect capacity when the number of days of "Flow Interface Details" was smaller than those in "Flow Details."

We fixed the code to correctly calculate "Capacity in Days" and "Remaining Days."

LSQ-2238

SWD-6857 The defect was that the SMC was not polling the ifhighspeed value for 10 Gbs interface of an exporter.

We enhanced logging information to aid in determining the solution for the defect.

LSQ-2325

SWD-6858 A segment failure in the Flow Collector occurred when the flow interface buffer size was dynamically increased.

The code was changed to make the buffer reallocation conflict safe.

LSQ-2026

SWD-6869 The SMC was not using the Secondary pxGrid Mitigation ISE Node when the Primary was down.

The code was looking at only the primary host. A Java file was changed so that it would look at the next available host.

LSQ-2367

SWD-6886 The Vertica log file was growing too large.

A log rotate entry in the config file was added so that old logs are purged and the log will not grow out of control.

NA

SWD-6891 The SMC client took about 35 minutes to search a host and open its snapshot.

The locking behavior was adjusted to allow greater concurrency.

SWD-6873

SWD-6901SWD-6904

After the SMC was updated, the Scheduled Documents showed errors and would not display any graphs

The problem for both defects was that an update to Java 8 still required some client groups to have Java 7. The coding was changed so that the SMC will use Java 8 properly.

LSQ-2400

SWD-6922 The FlowSensor was dropping 90% of packets.

We updated the drivers so the network interface card could pass the packets to the engine to process.

LSQ-2410




SWD-6928 The defect was that the SMC Java client took 10 to 15 minutes to finish loading cache.

We adjusted the lock acquisition behavior of a portion of the SMC Web application so that the loss of communication with Cisco ISE nodes does not cause long delays in the login process through the SMC Java client.

LSQ-2416

SWD-6939 The defect was that the Database Storage Statistics page on the Flow Collector Appliance Admin interface was not loading.

We updated the JavaScript on the Database Storage Statistics page to use a different library function for greater browser support.

LSQ-2238

SWD-6941 The defect is that a UDP Director flowfan.xml modification and flowfan restart resulted in a High Availability (HA) cluster service error.

The error was caused by the HA service detecting that the flowfan process was not running because of a delay during manual restart of the service. The delay has been removed.

LSQ-2442

SWD-6955 A custom service that had been set to "Exclude Security Event" was still triggering Security Events.

We updated the code to fetch the required service details from the configuration file and use it for event triggering.

LSQ-2261

SWD-6960SWD-6967

Customer had an issue with multiple Cisco ASA's reporting longest duration exports of 1,800.

The fix was to ignore the Summary Flows that are sent at the end of each firewall flow.

LSQ-2467

SWD-6976 The defect is that the customer was unable to configure custom certificates for SSL/TLS communications on the Stealthwatch appliances.

The fix provides the ability to install and use certificates with a trust chain longer than 1. The update will restart nginx. The fix is applicable to all appliances.

LSQ-2461

SWD-7061 User received a SMC internal server error.

To avoid this error message, an intermediary was placed between the interface requests that were causing this error and the Mongo database.

LSQ-2576

SWD-7107 The FlowCollector was not processing user name.

The engine now processes Create events that have no bytes or packets so that it can process the AAA user name from the ASA "Flow created" record.

LSQ-2506




SWD-7131SWD-7132

Some Stealthwatch appliances did not respond to ICMP requests from a Nagios monitoring server.

The default Docker IP address and the netmask for eth2 on the Flow Collector 5000 series database node were changed.

LSQ-2527

SWD-7149 A customer had an Internal Server error.

The fix was to decrease the frequency of certain operations made by the SMC Web interface that can cause increased load on the Mongo database.

LSQ-2545

SWD-7229 The Flow Collector home page would not load in an Internet Explorer browser.

The fix is to change some functions used in loading the Flow Collector home page, which were not supported by IE/Edge browsers.

LSQ-2558

SWD-7322 NetFlow decode was not properly retrieving ICMP type and code.

An initialization problem in the NetFlow decoder was fixed to properly retrieve the ICMP type and code from the first ICMP Netflow record that it decodes.

LSQ-2606

SWD-7324 The Flow Collector engine did not stop inserting data when the disk was 100% full.

Added code to disable the stats the database writes at maximum disk utilization and to trigger the performance degraded alarm.

LSQ-2606

SWD-7621 The Top Conversations Report was not returning all results when a host filter was used.

The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report.

LSQ-2593

SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1.

The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC.

LSQ-2712

SWD-8163 Cognitive Threat Analytics (CTA) API calls using JWT tokens were not being made correctly.

JWT tokens are now being passed through Authorization headers.

NA



Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference.

Defect Number Description Workaround

LVA-306, LVA-307

If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys.

A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of 1024-bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at https://eprint.iacr.org/2017/627.

The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers

Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances.

Important: If you are upgrading the system to v6.9.3 from an earlier version, confirm all appliances have the latest patch files installed.

To review the Stealthwatch appliance vulnerability, complete the following steps:

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the

SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below.

3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the RSA-1024 or RSA-2048 bit keys, you must regen-erate new certificates.

4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates.

If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system.

1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu.

2. To delete the public and private keys in the primary location, run the following command: rm –f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub.



https://eprint.iacr.org/2017/627


running in a co-located VM infrastructure, the risk of exposure is greater.

3. To delete the public and private keys in the backup location, run the following command: rm –f /lancope/var/admin/ssh/ssh_host_rsa_key /lan-cope/var/admin/ssh/ssh_host_rsa_key.pub

4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/GenerateSSHKeys

5. Do one of the following to restart the SSHD ser-vice:

o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.ser-vice

o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart

6. Repeat these steps on every appliance in the Stealthwatch System.

If you have installed custom certificates using RSA-1024 or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates.

1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the ? icon to open the Help page.

o Use the SSL Certificate instructions to generate a new X509 certificate.

o If the certificate is X509 certificate is RSA, create it with a size of 4096 bits.

4. Delete the old (vulnerable) X509 certificate from the appliance.

5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates.

o Click the? icon to open the Help page.




o Use the Certificate Authority Cer-tificates instructions to add a new X509 certificate.

o If the certificate is X509 certificate is RSA, create it with a size of 4096 bits.

SWD-7627 If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View.

None currently available; the feature will be available in a future release.

SWD-7655 The generation of a diagnostics pack may fail in large systems as a result of timing out.

To overcome this, open the SSH console for the appli-ance and run this command: doDiagPack. This will allow the generation of the diagnostic pack without tim-ing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP.

SWD-8197 The Flow Sensor was not detecting enough applications.

To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library.

SWD-8673 SystemConfig special character fonts look bad when using the SecureCRT cli-ent in ANSI mode.

To overcome this, disable ANSI Color when con-necting or use a different client to view the Sys-temConfig script.

SWD-9052 Offline license activation failing or "Stor- This error may occur if you moved a virtual machine,




age Binding Break" error uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance.

SWD-9300 The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port.

None currently available; this will be fixed in a future release.

SWD-9563 When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client drop-down arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following:

• Search (magnifying glass icon)• Help (person icon)• Global Settings (geer icon)

Additionally, the fonts look different from how they appear when displayed using other browsers.

Close the browser and log in again.

SWD-10132 If you are upgrading from v6.8.3/v6.8.4, verify the root partition size is greater than 5 GB. If you have an installation instance that has existed prior to v6.8.x, the root partitions are very small and the upgrade from v6.8.3/v6.8.4 to v6.9.3 will fail with the error "Unable to copy image: Unable to copy ./FILES/rootimg.tgz into /mnt//lancope/admin/sysimage on new boot area".

Before upgrading your system from v6.8.3/v6.8.4 to v6.9.3, install the following rollup patches:

l v6.8.3: o patch-smc-ROLLUP015-6.8.3-

01.swu or later o patch-fcnf-ROLLUP013-6.8.3-01.swu

or later l v6.8.4:

o patch-smc-ROLLUP007-6.8.4-01.swu or later

o patch-fcnf-ROLLUP006-6.8.4-01.swu or later

NA On the Flow Sensor VE, “Export Application Identification” is off by default.

To enable application identification, this advanced set-ting will need to be manually selected.





Contacting Support

If you need technical support, please do one of the following:

l Contact your local Cisco Partner l Contact Cisco Stealthwatch Support

o To open a case by web: http://www.cisco.com/c/en/us/support/index.html o To open a case by email: [email protected] o For phone support: 1-800-553-2447 (U.S.) o For worldwide support numbers: www.cisco.com/en/US/partner/support/tsd_cisco_

worldwide_contacts.html



http://www.cisco.com/c/en/us/support/index.html

http://[email protected]/

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

TEALTHWATCH SYSTEM VERSION ELEASE OTES · opatch-fcnf-ROLLUP006-6.8.4-01.swu or later l Due to...

Documents

Transcript of TEALTHWATCH SYSTEM VERSION ELEASE OTES · opatch-fcnf-ROLLUP006-6.8.4-01.swu or later l Due to...