RIVERBED PRODUCT RELEASE NOTES PRODUCT: STEELHEAD CX

RELEASE DATE: DECEMBER 15, 2014

RIOS VERSION: 9.0.0

CONTENTS

1) Supported SteelHead Models 2) New Features in RiOS 9.0.0 3) Fixed Problems 4) Known Issues 5) Upgrading the RiOS Software version 6) SteelCentral Controller for SteelHead (SCC) Compatibility 7) Hardware and Software dependencies 8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS Important: RiOS 9.0.0 supports Riverbed SteelHead CX models xx50, xx55, CX 570, and CX 770, and DX model DXA-8000.

2) NEW FEATURES IN RIOS 9.0.0 Secure Transport Service This feature enables simple, manageable group encryption for Path Selection deployments. Automatically encrypts data regardless of the path (including optimized and nonoptimized traffic). Secures traffic flowing between any two SteelHeads for private (MPLS) and Internet links by directing it to a secured uplink using path selection service rules. Secure transport uses standards-based encryption for added security and regulatory compliance. Note: SteelCentral Controller v9.0 or higher, is required to enable and configure Secure Transport for Path Selection. Hybrid Network Topology, Application, and Site Definitions RiOS v9.0 introduces a topology-oriented management approach aimed at simplifying the configuration and administrative upkeep of Hybrid Network services. Users define a

simplified virtual representation of their network WAN topology which assists the SteelHead and SteelCentral Controller for SteelHead (formerly the Central Management Console) to understand connectivity relationships and WAN capacities, important for Path Selection, Secure Transport, and QoS, as these features have site-dependent rules and dependencies. RiOS v9.0 also changes the way users define and manage application classification criteria. Applications are now defined as objects that users can create/edit and use in QoS and Path Selection rules, and view in dashboards. In addition to the 1100+ Riverbed Application Flow Engine (AFE) defined application objects, users are able to define their own custom application objects based on any number of IP header criteria and/or AFE named applications. Each application object include three new properties based on business-level groupings: Application Group, functional Category, and Business Criticality level. These properties are a useful way to organize a large number of application objects into a smaller number of objects to manage in rules. Streamlined QoS Configuration This feature simplifies QoS configuration and leverages the previous basic QoS model with the added ability to create custom QoS profiles and classes on a per-site exception basis. This improved QoS user interface includes an easy-to-use QoS class hierarchy editor. Enhanced Inbound QoS Inbound QoS now supports hierarchical QoS classes. This provides more granular control over inbound traffic usage. The same QoS rules can now be applied to both inbound and/or outbound traffic. QoS Migration This release supports the option to migrate RiOS v8.5.x or v8.6.x basic and advanced QoS configurations to v9.0 QoS profiles. However, Riverbed recommends customers to re-build their QoS configuration rather than migrating old configuration, to take advantage of v9.0 powerful QoS profiles, application objects, simplified topology model, and path selection features. Note, to preserve the underlying behavior of the original QoS configuration, when migrating legacy advanced QoS configuration the result may be an overtly verbose and sub-optimal set of QoS profiles, classes, and topology model. For complex QoS migration assistance, please contact your local Riverbed representative. Easy-to-Use Path Selection Capabilities This feature enables you to more accurately control traffic flow across multiple WAN circuits within hybrid networks. RiOS v9.0 uses the concept of application groups to define path selection rules that include the global performance for an application, including the latency

2

priority. Simplified configuration lets you define path selection rules for application groups such as business bulk (file transfer applications and protocols), business critical (low latency, transactional applications and protocols), business productivity (general business-level applications and protocols), business standard (intranetwork traffic going within local subnets), business video, and so on. Expanded Exchange Server Qualifications This feature expands Exchange 2013 server qualifications. The qualifications include:

All Exchange 2013 Cumulative Updates Windows Server 2012 R2 with Exchange 2013 SP1 (CU4) Win 2012 R2 with Exchange 2010 SP3 Win 2008 R2 with Exchange 2010 SP3

Improved SMB2/3 Performance This feature includes SMB2/3 resiliency and graceful recovery for signed and unsigned connections from NULL pointer dereference and invalid packet handling, significantly reducing SteelHead optimization service interruption or downtime. SMB3.02 Support This feature includes SMB3.02 dialect support when enabling SMB3 on a SteelHead. SMB3.02 was introduced by Microsoft in Windows 8.1 and Windows Server 2012 R2. SMB3.02 is only negotiated when systems of these operating system versions are directly connected. SMB3.02 is qualified with SMB3.02 signed and unsigned traffic over IPv4 and IPv6 and with encrypted connections over IPv4 and IPv6. Authenticated connections between a server-side SteelHead and a domain controller are only supported over IPv4. SteelHead Visibility with SteelCentral AppResponse This feature extends end-user visibility and troubleshooting to SteelHead-optimized and nonoptimized enterprise Web and software as a service (SaaS) applications. In SteelHead-based deployments where a SteelCentral AppResponse version 9.5 appliance is present, you can use the SteelCentral Controller for SteelHead version 9.0 to configure the communication between the SteelHeads and the AppResponse appliances. This integrated solution provides visibility into a wide variety of issues such as where the service delays are occurring on the network and how well the SteelHead is performing. Redesigned User Experience, New Dashboard, and Streamlined Work Flows This feature improves configuration work flows, usability, and readability. The new design refreshes the SteelHead Management Console with these changes and more:

The Home page is now called the Dashboard. The new Dashboard highlights the product name, appliance name, and appliance health status along with the optimized

3

throughput and bandwidth optimization statistics. The previous cascading, hierarchical menu structure is now flat to provide easier

navigation. This new structure also makes specific content more accessible. The new UI design focuses on the minimalist use of common controls, typography,

and flat colors for better readability and attractiveness. Improved User Permissions Page This feature includes permission for all other Role Based Management (RBM) roles and permission to perform appliance administration, minimizing the need to assign an administrator role that grants full read-write access to all areas of the appliance. The page now merges the capability-based and role-based user tables into one Accounts table. In addition, the default user setting has been relocated from the General Security Settings page to the User Permissions page. Improved SSL This feature enhances SSL optimization performance and scalability in these ways:

Decreases the amount of memory used per SSL connection. Increases the number of connections per second for a SteelHead running in the

Federal Information Processing Standard (FIPS) mode. Improved TCP Dump Diagnostic Tool This feature includes a more resilient SNAP length configuration from the Management Console. SteelHead (Virtual Edition) Performance and Benchmarking Tests This feature provides a way to qualify and validate the performance of a target SteelHead-v model in your virtualization environment. Tests include validating CPU performance and disk throughput. SteelHead (Virtual Edition) Support for ESXi 5.5 This feature updates the approved ESXi version to 5.5. Merged SteelHead CX and SteelHead DX This feature merges the CX and DX SteelHead models into one image; the appliance is automatically configured to the correct product model during installation.

SteelHead SaaS - GeoDNS for Office365 SteelHead SaaS now supports GeoDNS, which enables location based optimization Office365 Outlook and Outlook Web Access (OWA) Webmail. Office365 DNS requests from users are directed to a Client Access server (CAS) closest to the

4

user. This may be different from where the user's mailbox is located for instance if the user is traveling or works from a different branch, etc. This could create a condition where the transactions between the user CAS and Mailbox incur a significantly higher latency than their usual use case - e.g. if the user is in Melbourne trying to get email from a mailbox located in Chicago. GeoDNS, a feature fully supported in RiOSv9.0 overcomes this problem by detecting the user mailbox location and mapping subsequent flows to a CAS closest to the user mailbox and optimizing the route to that CAS leveraging Akamais SRIP network that finds the fastest route to the CAS and SteelHead optimizes traffic from the user to the CAS, which then is located at a negligible latency to the Mailbox. GeoDNS is also supported for Outlook Web Access - Webmail and Public Folder access.

3) FIXED PROBLEMS Problems fixed in version 9.0.0 6206 Added CLI commands to manage SSH client-know hosts: show ssh client

known-hosts no ssh client known-host

40722 Fixed an issue where the kernel would crash while the optimization service was starting due to a rare race condition between accessing the RiOS kernel state and the backend resources being available.

77755 This bug fix helps the optimization service gracefully recover when a corruption is detected in the deduplication index by repairing the data structures that form part of the index. This recovery occurs transparently without triggering a service crash, connection drops, or loss of data integrity.

86285 Updated the UI to use one tab instead of two. In the latter case a user has to choose which tab to use based on how many files they have. The certificate and key are available either as a single file or separate files.

95814 Fixed a cryptic error message in the SteelHead logs to ensure that an appropriate error message is report when SmbSigning or Encrypted MAPI fails when NTLM is blocked on the Domain Controllers

106099 Fixed an issue where Domain Controller communication is marked as lost when the Domain Controller of a trusted domain is unreachable from the Domain Controller of the domain to which the SteelHead is joined.

116730 Fixed an issue where SNMP would return the incorrect speed on the primary interface.

123997 Fixed an issue where a disk alarm is triggered after a raid element fails.

129100 Fixed an optimization device failure that would occur along with messages similar to "watcher: One or more threads not responding after at least [x]s; unhealthy threads follow."

5

130193 Fixed an issue where an interface would lose a link after upgrading to 8.6.0 if the interface speed and duplex were configured for 100 full (without using auto-negotiation) on both the SteelHead and the connected router or switch. The fix only applies to a configuration that is supported by the interface.

130315 Enhanced peer name parsing logic to allow for hostnames containing underscores to be displayed.

138588 Removed generating a linklocal IPv6 address for interfaces with an MTU value lower than 1280. This fix prevents the kernel error message "No buffer space available, because IPv6 requires MTU on an interface to be at least 1280.

144119 RiOS software switches transparently from hardware to software compression when an error is detected on the SDR accelerator card. This enhancement ensures that optimization service resume compression with the SDR accelerator card after a fixed timeout period (6 minutes), thus helping recover full functionality in the case of transient errors like memory pressure. If the error is determined to not be transient (10 or more failures in a 2-hour period), the service switches entirely to software compression.

144777 Fixed an issue where the reboot reason was not retrieved correctly on SteelHead CX 255 as the HWMON driver was loaded before gathering the reboot reason.

144891 In some rare cases when a sysdump is started on a SteelHead with SteelHead Cloud Accelerator enabled, the SteelHead becomes less responsive and its CPU usage is high with the following repetitive error messages in the logs: Jul 15 14:53:54 mySH apprep_riverbed[5501]: [apprep_riverbed.ERR]: Could not write to 8: Connection refused

146046 Inbound QoS has been modified to limit processing too many packets in a single pass. This prevents the watchdog from timing out and causing a reboot.

146431 Fixed an issue where under certain circumstances, the system may fail to properly distribute interrupt load across all CPU cores, resulting in symptoms like packet drops or CPU alarms. Fixes have been made to the IRQ balancing mechanism to correct this problem.

147174 Enhanced NetFlow flow records to indicate to CascadeFlow collectors that the SteelHead interface data exported may be incorrect in virtual in-path deployment or when Path Selection is enabled.

147363 Fixed an issue that resulted in a crash of the rcud process during high CPU and disk load on the SteelHead.

148619 Fixed a severe SSL CPS performance degradation issue when the FIPS mode is enabled on the SteelHead. The performance degradation was due to heavy use of certain FIPS locks used by OpenSSL. The fix avoids read operations on FIPS locks to improve performance safely.

6

149216 Fixed an issue where opening a continuous log window could prevent a user's Web UI session from timing out. A timeout occurs either after the inactivity delay set in Web Settings or five minutes after the main window or tab is closed, whichever comes first.

150102 Fixed memory leak that may occur if non-SSL traffic flows over SSL ports. 150211 Implemented a cache to store the disk's branding information, so it can be

retrieved once and future retrievals will be efficiently served by the cache. The cache is enumerated when the disk appears and is cleared when the disk disappears from the system.

150658 Fixed an issue where the optimization service could crash if an optimized Outlook Anywhere connection is closed while is it processing HTTP request or response headers.

151040 Fixed a race condition during delegation configuration to avoid process restart.

151996 For Path Selection, the outputs for CLI commands show connection and show flow now mark paths used for the inner connection pool with an asterisk (*) to help differentiate those paths from the paths that were used for the queried connection.

152355 Updated code to handle a zero length LOCK request.

152519 Fixed an issue that caused the Group Policy Management Console application to crash on Windows 2012 servers. With the fix, Active Directory Settings are correctly configured to ensure that a sever object is created for the server-side Steelhead and it's serverReference attribute is correctly set in the LDAP database when the SteelHead is joined in Windows 2008 Active Directory Integrated mode

153082 Fixed an issue that caused a crash of the optimization service at Smb2::ClientParser::process_TreeDisconnectResponse(). The crash was due to an attempt to update metadata in an unoptimized node during Tree Disconnect operation. The crash is likely to occur in Smb2::ClientParser::process_SessionLogoffResponse() as well due to similar attempts made during Sessions Logoff operation. The fix adds checks to avoid updating metadata in unoptimized nodes.

153178 The Application Visibility process "collectord" crash has been fixed. The crash was due to memory exhaustion during high load.

154088 This bug fixes a crash in RiOS resulting from a failure to compress of a specific data pattern. The failure is caused due to incorrect sizing of an output buffer. This fix makes sure the output buffer is big enough to handle such scenarios.

154381 Fixed an issue where a closing TCP connection which was simultaneously open by the SteelHead and any other device in the network would result in a RiOS kernel crash. The fix gracefully handles this condition by initializing the TCP connection state to the correct value to prevent service disruption.

7

154501 Fixed an issue where in a connection forwarding setup, the optimization service crashes while shutting down if the neighbor service goes down simultaneously.

154841 Fixed an issue where non-ASCII usernames can result in the Domain Communication alarm being raised for Signed-SMB or Encrypted MAPI connections.

155008 Improved the warning message when using ALL_IP as the source or destination subnet for fix target in-path rules. The new message recommends "Use All-IPv4 instead of All-IP with IPv4 target appliances" and "Use All-IPv6 instead of All-IP with IPv6 target appliances."

155253 Fixed an issue that ensures that the ADSI attribute editor no longer throws an error when SteelHead has joined win2k8-mode (rodc mode).

155336 Fixed an issue where the disk space for logs became full after collecting Application Visibility stats. The system now dynamically scales back Application Visibility granularity thresholds when low disk space is detected.

155940 HTTP Latency optimization was bypassed on large chunk encoded transfers, by design, with the intent that large transfers would not benefit from latency optimization. This limit has been removed as it has been found to inhibit beneficial optimizations on subsequent transactions.

156182 Fixed a potential but unlikely issue where the system shutdown could take more than 20 minutes.

157078 Upgrade BIND named from 9.9.3-P2 to 9.9.4-P2 for CVE-2014-0591 Details ------- A function in query.c in named in ISC BIND allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. Fix --- Upgraded BIND named from 9.9.3-P2 to 9.9.4-P2 for CVE-2014-0591.

157650 Outlook Anywhere connections are now correctly counted as using two HTTP connections, allowing MAPI Admission Control v2 to properly prioritize sessions for Admission Control actions.

8

158787 Fixed an issue where a CX570 or CX770 SteelHead would display errors in the syslog, such as the following, which do not impact operation and can be ignored: Feb 10 00:00:39 sv-sh99 hald[7665]: [hald.INFO]: hald_handle_query_request(), hald_main.c:631, build (null): No handler for bnode /hw/hal/raid/disk/0/disk_wear Feb 14 11:32:05 sv-sh99 hald[7707]: [hald.NOTICE]: RAID MOD: No need to initialize. Old model detected. These warnings have been removed from the CX 570 and CX 770 models, as they do not use RAID.

158834 Fixed an issue with Notes Encryption Optimization where the server-side SteelHead fails to forward traffic to the unencrypted server port. This occurred in the following conditions: 1) Enhanced Auto-Discover (EAD) disabled 2) Fixed target rules between SteelHead appliances 3) Probe-caching enabled This can result in the encrypted Notes connections not being optimized. In this case you see a log message like the following: [notesencr2sfe.NOTICE] 1 {x.x.x.x:x y.y.y.y:1352} Server is requesting encryption on port 1352 and therefore cannot be optimized. This connection is passed through. Note from the log that port 1352 was used even though SteelHead was configured to send traffic to unencrypted port 1353.

158916 Added support to allow SCEP signing requests to be validated by the prior issued and validated certificate. A new CLI command was added to enable this feature (instead of the default passphrase method) [no] secure-peering scep signed-renewal enable The new mode still requires a valid passphrase for initial enrollment.

159136 Fixed a statistics accounting issue where bytes sent or received were erroneously accounted multiple times towards a single port.

159262 Hardware watchdog timed out during lookup of a connection in a corrupted connection table. The corruption was caused because of lingering closed connections in the connection table. The fix gracefully removes closed connections from the connection table thus avoiding corruption.

159419 Enabled multiple hardware queues for 10G interfaces in order to improve the performance for QoS marking and Path Selection. This fix works only when QoS Shaping is disabled.

159811 Fixed an issue where the domain-health test widgets were not honoring encrypted LDAP settings on domain controllers resulting in test widget failures.

159861 Enhanced SMB2 packet processor to gracefully handle invalid packets with incorrect data offsets. Graceful action involves blacklisting and shutting down the connection on which invalid packets are seen. As a result, crash of optimization service is prevented.

9

160271 Fixed an issue where auto-delegation and password replication policy features did not honor encrypted LDAP settings on domain controllers.

160407 New Feature: The Apache httpd log format can now be configured with the CLI command web httpd log-format. The Web server banner "Server:" (in the HTTP response header) can be configured with the CLI command web httpd server-header *. To reset to the default ("Apache"), use the CLI command no web httpd server-heade.

160465 Fixed an issue that caused VLAN IDs to be erroneously copied to NetFlow records.

161458 Fixed a problem that occurred in the CX555 and CX755 platforms where the machine would sometime reboot with a machine check exception after encountering a PCI completion timeout. This error is caused by a network adapter hardware issue.

161615 Fixed an issue where non-alphanumeric were not allowed in the NTLM Authentication Domain Health Check password field.

161827 This fix prevents configuring the SteelHead gateway IP addresses to be the same as one of the interface IP addresses.

162292 With the fix, the domain name validation is done prior to performing the replication test replication to show accurate failure reasons.

162336 Fixed a rare timing-related issue where the optimization would shut down if the SSL Secure Peering handshake completes at the same time as an optimized encrypted Lotus Notes connection is being torn down. After the fix the Lotus Notes Encryption Optimization blade checks to see if the connection is being terminated before it processes messages from the SSL Secure Peering blade.

162343 Fixed a problem where change in in-path interface MTU is not propagated within the system resulting in the blackholing of packets larger than 1500 bytes when Path Selection is enabled.

162404 MX-TCP connections are no longer stalled on a transmission timeout of a given TCP packet. On transmission timeout, the packet under question is now correctly retransmitted.

162443 Replaced the show connections all sort-by protocol command with the show connections all sort-by application command to match the Web UI when sorting connections by application.

162474 Fixed an optimization service crash when an optimized Outlook Anywhere connection was closed immediately after opening.

162498 This fixes the problem that safety valve stays ON if optimization service is shut down or restarted within a short period of time after the safety valve is triggered. This fix makes sure that the safety valve is turned OFF during the shutting down process of optimization service and the change is notified to the management.

10

162513 Fixed an issue where in certain rare cases, the SteelHead could report a "Needs Attention" status even though the condition that caused it had cleared. The "Needs Attention" status now clears appropriately.

162528 Samba password lockout and smbcacls security issue Details ------ Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. Fix --- The samba package has been updated to address CVE-2013-4496. Recommendation - Upgrade to patched version if applicable.

162553 Fixed the communication between the ESX Cloud SteelHeads and the Cloud Portal. The absence of this secondary communication resulted in the appliance not showing up against the license on the Cloud Portal.

162543 Fixed an issue where the alarm indicating IPv6 incompatibility between connection forwarding neighbors does not clear after the neighbors disconnect.

162658 Modified the CLI RAID commands to correctly identify the type of RAID a system is using. RAID commands that are not supported are printed on execution of any RAID CLI commands.

162723 Fixed a memory leak in the stats gathering subsystem that can result in paging activity to high alarms on systems that have been running for several months.

163151 The application and regular expression filters match connections both by protocol and by application name. Entering TCP, for example, matches connections that are transported over TCP but whose application names do not explicitly include TCP.

163276 The change fixes the handling of empty kerberos request packets on HTTP connection.

163298 The memory limit of the QoS process qosd was removed so that it no longer crashes when its memory usage hits 500 MB.

163324 Added a new alarm in RiOS that is triggered if Path Selection probe responses arrive at a WAN interface that is different from the WAN interface on which the probe requests were sent.

11

163333 Fixed a problem that caused a segmentation fault in Citrix::Frame::disassemble. This segmentation fault could only occur when under the following conditions: 1) Citrix optimization is enabled and Citrix traffic is being optimized. 2) The Citrix traffic is secured with Citrix SecureICA.

163476 Fixed a leak of file descriptors in the winbindd process that can result in protocol errors for new Signed SMB or encrypted MAPI connections.

163505 Fixed a problem that caused the log message "[cli.ERR]: user monitor: No response from HAL for uses_hardware_wdt" to be printed in the syslog when a non-admin user logged in. This problem did not prevent the CLI from being used.

163698 Serious SSL Heartbleed Bug CVE-2014-0160 Details ------- The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read. See http://heartbleed.com/ for more details. Fix --- Upgraded OpenSSL to 1.0.1g to fix CVE-2014-0160 ("Heartbleed" Bug). Recommendation - Upgrade to patched version if applicable.

163925 Corrected three SMB3 port descriptions on the Monitored Ports configuration page of the Web UI. The descriptions were corrected for ports 8781, 8782, and 8783 to SMB3, SMB3 Signed, and SMB3 Encrypted, respectively.

164014 Enhanced error notification to explain that configuring Path Selection channels on a SteelHead that is not peered with an Interceptor is not required.

164034 Fixed an issue where optimized bandwidth limits were not enforced on MxTCP connections.

164133 Fixed the issue so that SOAP APIs are available again.

164188 Fixed the httpd settings to prevent the "No slotmem from mod_heartmonitor" message seen in the httpd logs intermittently.

164191 Improved the path state detection logic to recognize probe reroutes.

164382 The CX570, CX770, and SMC platforms do not support the CLI command no remote password. "Operation is not supported in the given platform" is now printed on the console if executed by the user.

12

164384 Fixed an issue where Path Selection information for a connection was not visible in the UI "Current Connections" report.

164386 Upgraded OpenSSL to 1.0.1g to address the CVE-2014-0160 to handle Heartbleed issue.

164421 Corrected code logic specific to an HTTP HEAD request that was improperly blocking data.

164503 Corrected a problem where the order of the incoming data was corrupted after the client TCP connection was reset. This behavior was leading to an internal crash; however, no corrupt data was ever sent to the client or server.

164561 The Web user interface now supports key lengths of 3072 and 4096 for generating CA certificates. These values provide parity with the command-line interface, which introduced these key lengths in version 8.6.0. The key size is no longer allowed to be 512.

164805 Fixed an issue in the RiOS kernel that could result in a kernel panic while adding a VLAN tag to an unoptimized packet during path selection.

164812 The optimization service now closes the MAPI connection if an error condition is encountered during optimization, allowing Outlook to gracefully recover.

164827 Original handling of SCEP events was not fully thread safe and there was a possibility of collisions that would cause this failure. Fixed event handling for SCEP events to be thread safe and follow safe procedure for interprocess events.

164837 Fixed an issue that resulted in Windows clients failing to connect to a share on Windows 2012R1 Server with update KB2934016 installed. The fix corrects the size of metadata prefetch request issued by the client-side SteelHead. This size is calculated based on the server's maximum transaction size. Increasing the maximum transaction size to 8 MB by Windows update KB2934016 exposed a bug in the computation of prefetch request size.

165027 IIS is sometimes responding with 401 authentication responses while an HTTP POST request is still sending data. This behavior triggers a connection-level bypass and, potentially, a crash on the SFE due to a defect in the bypass functionality introduced in 8.5.0.

165075 Fixed an issue where the process rgpd would generate errors when it took too long for the process to terminate.

165077 Modified the data store configuration file for the CX770L and CX770M models to change the data store size from 100 GB to 150 GB. Upgrading to image containing the fix results in a new size change. Note that this resizing operation cleans the data store.

165090 Corrected code to flush data upon receipt of a connection EOF.

165212 Fixed an issue related to collectord crash under high disk load.

13

165217 Fixed the SteelHead's Client Authentication support feature to allow bypassing the connection when the ECDHE-RSA cipher suite is chosen.

165253 The fix prevents the SteelHead from crashing and correctly handles connections to TCP server port 7840.

165262 Enhanced the logic that maintains the state for optimized connections in the RiOS kernel to prevent referencing stale data that may result in a kernel panic.

165343 Fixed a crash of the SteelHead optimization service when the Server Certificate Chain Discovery feature is enabled on the server-side SteelHead. The process crashed due to a NULL pointer dereference. The fix involved introducing NULL pointer checks.

165427 Fixed an issue where packets transmitted from the primary interface have an incorrect source MAC address because they were unintentionally processed by the Path Selection feature.

165433 Fixed an issue with SteelHead SaaS that caused a critical log entry: "[acp.CRIT]: Partial write on /dev/rbtpipe TUN device??? Unexpected!" when a non-IP packet was encountered. SteelHead SaaS does not process non-IP packets, so these packets now generate a warning log message, not critical, to alert the user of potential network misconfiguration.

165611 In-path interfaces fail to come up after a software upgrade due to a failed memory allocation. Fixed the memory allocation failure that caused in-path interfaces to stay offline after a software upgrade. The failure resulted from the increase in memory usage of the system during a software upgrade.

165657 Fixed a problem where automatic emails were sent from 32-bit appliances indicating "/usr/lib64/sa/sa1" and "/usr/lib64/sa/sa2" were missing. These commands are used to collect system activity data for debugging and do not impact normal system operation.

165671 Fixed an issue where the image fetch command would fail if the disk drive containing the /var directory was replaced.

165705 Fixed a memory leak issue that causes high memory usage on the SteelHead. The issue can result in memory admission control.

165809 The optimization service would create an optimized MAPI connection for every TCP connection to a server TCP port 7830 even if the MAPI feature was disabled. The optimization service would create an optimized NSPI connection for every TCP connection to a server TCP port 7840. Those connections receive the corresponding latency optimization when MAPI or NSPI is enabled.

165828 Fixed an issue where VLAN tags are stripped when the packets go through an ESX-based Virtual SteelHead. This fix affects both optimized and pass-through traffic.

14

166123 CVE-2014-0198: OpenSSL SSL_MODE_RELEASE_BUFFERS denial of service Details ------- The do_ssl3_write function OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition. Fix --- Applied a patch to OpenSSL used for device management for CVE-2014-0198. Recommendation - Upgrade to patched version if applicable.

166355 Fixed a kernel crash that may occur because of incoming out-of-order fragmented TCP packets when the QoS and/or Path Selection feature is enabled.

166549 When SteelHead encounters an ISATAP IPv6 address in a packet in virtual in-path deployments, it correctly passes through the packet by routing it.

166647 This fix decreased the number of syslog messages printed by MAPI optimization so only one of those messages is logged for each optimized MAPI connection.

166967 The service crash following a service restart after a SDR Card failure has been fixed.

166977 Fixed an issue that caused sysdump collection to get stuck when TACACS+ per-command authorization is configured. This issue can occur if the admin account is not authorized by the TACACS+ server to execute the exit command in the CLI. During sysdump collection the CLI is launched multiple times internally, and if it cannot exit from the CLI, the collection cannot complete.

166999 The change triggers an automatic password refresh of the SteelHeads domain account password.

167109 Fixed an issue where the optimization service can crash when a MAPI connection is closed while processing an email with an attachment on that connection.

167210 Fixed a memory leak in the DC discovery locator process.

15

167322 Fixed an issue where optimization can occasionally fail for encrypted MAPI if encryption starts on a second MAPI protocol context. If Outlook starts encryption on a secondary protocol context, the optimization service does not attempt to start decryption this context. If this condition is detected, the remainder of this connection is passed through and no longer optimized.

167834 Fixed an issue where packet counts shown on the Current Connections page were calculated erroneously for the outer connection on the client-side SteelHead and inner connection on the server-side SteelHead. These packet count values are now correct in all cases. This bug was a cosmetic one and did not affect the reduction percentage calculation.

168159 Upgrade OpenSSL to 1.0.1h/1.0.0m to patch OpenSSL security vulnerabilities (libraries used by sport ) Details ------- OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information via a crafted TLS handshake, also known as the "CCS Injection" vulnerability. Fix --- Upgraded OpenSSL as used by the SteelHead optimization service process to 1.0.1h (or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. Note: This patch also addresses the following security bugs that DO NOT affect RiOS: DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470) Recommendation - Upgrade to patched version if applicable.

16

168163 CVE-2014-0224: Upgrade OpenSSL to 1.0.1h/1.0.0m patch weak keying MITM (libraries used by device management) Details ------- OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. Fix --- Upgraded OpenSSL as used by device management to 1.0.1h (or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. This patch also addresses the following security bugs that do not affect RiOS: DTLS recursion flaw (CVE-2014-0221) DTLS invalid fragment vulnerability (CVE-2014-0195) SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) Anonymous ECDH denial of service (CVE-2014-3470) Recommendation - Upgrade to patched version if applicable

173569 This fix causes the SteelHead to refresh its folder cache, for certain server types, even if notifications are missing. To enable the behavior, run the CLI command protocol cifs ignore-notifies enable on the client-side SteelHead.

173665 Increased the memory admission control values so that they are adequate to support the maximum prescribed load for SteelHead models 770L and 770M.

187833 Fixed a memory leak in the RiOS kernel that may occur in the client-side SteelHead in rare conditions where a client is opening a very large number of short-lived connections and the optimized connection setup between SteelHeads fails.

187862 The Qosd memory leak was fixed and no leaks have been seen with this release.

187883 Fixed an issue with the IPv6 packet parsing logic that resulted in IPv6 ICMP messages getting dropped before they could be processed.

191370 Fixed an issue where invalid login requests can result in MAPI blacklist entries. Outlook can send an invalid login request, which results in a MAPI blacklist entry on the server-side SteelHead. With this change, such a blacklist entry is only made on the second invalid login request on a MAPI connection. This behavior allows a recovery and successful login by Outlook on the second attempt.

17

191372 Fixed the problem where the inbound QoS class for optimized Citrix flows were mistakenly set to the default class.

191761 Fixed an issue that results in failure of directory synchronization using ViceVersa software when CIFS optimization is enabled. Certain find requests on folder content were not forwarded to the server, causing the client to eventually close the connection.

191775 Fixed an issue where the byte count reported by the CLI command show in-path gre-egress tbl, included the GRE header of each packet that egress GRE tunnels.

191836 Fixed an issue where the SSL peering trust between SteelHeads would not establish due to certain SCEP servers rejecting the CSRs generated by SteelHeads. Open SSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to use UTF8String, and this has been reverted to PrintableString.

191977 This fix enhances codec flow control to set its initial window to the configured WAN buffer size to avoid a potential slow start on high latency links. This fix also enhances codec flow control to avoid throttling of traffic in some situations where memory pressure is not imminent.

192188 Fixed an issue where some optimized connections were not reported in the connection history. Branch warming connections were not reported in the count of optimized connections even though they count against the total optimized connection limit for the SteelHead. With this fix, all connections that count toward the optimized connection limit are reported in the connection history.

192199 Fixed a problem that caused a crash in the optimization service when the Citrix protocol optimization component parsed the start of a Citrix connection. The stack contained these function calls: #0 0x... in IcaContext::basic_decrypt(Citrix::ByteBuffer*, bool) () #1 0x... in UiDriver::UiDriver(AbstractDriver::DriverHeader const&, BufReader*, bool*) () #2 0x... in AbstractDriver::create_driver(AbstractDriver::DriverHeader const&, BufReader*, std::basic_string*) () #3 0x... in DriverInitResponse::DriverInitResponse(unsigned char, unsigned short, bool, BufReader*, bool*) () #4 0x... in Citrix::DriverStack::parse() () ... The crash happened while parsing Citrix client packet at the start of the connection. These messages were observed in the system logs immediately before the crash: ... [/citrix/cfe/DriverStack INFO] {: :1494|2598} Parsed driver at index QQ"

192346 Fixed an issue that caused an error to be reported when noncorrect mode IPv6 addresses are entered in the delegation lists (delegate-all, delegate-all-except).

18

192930 Fixed an issue where usernames were not prevented from being created that started with a hyphen (-) or were longer than 31 characters. While user accounts with these values were created, they were not valid accounts that could be used for login.

193347 CVE-2014-0191, CVE-2013-2877: Libxml2 security update RHSA-2014:0513-1 Details ------- CVE-2014-0191: It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. CVE-2013-2877: An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. Fix --- Upgraded libxml2 to fix security vulnerabilities CVE-2014-0191 and CVE-2013-2877. Recommendation - Upgrade to patched version if applicable.

193744 GeoDNS for SH SaaS is used to locate the closest SteelHead against the destination Exchange-online (Office 365) server. This feature was disabled by default before RiOS 8.6.2. The feature has now been enabled by default. The feature should not be disabled under normal circumstances.

193955 The optimization service no longer crashes when receiving a unexpected packet fragment while optimizing MAPI connections.

193992 When an interceptor has been added as neighbor but no cluster channels have been configured, the stats may be showing direct channel paths instead of showing relayed. This fix displays a warning in such a case that the displayed paths may be incorrect.

194051 Fixed an optimization service crash that can occur when an optimized MAPI connection opens a second MAPI protocol context, but the connection has previously encountered an optimization error.

194193 This fix ensures that optimization service correctly handles encrypted MAPI connection setup in the service shutdown path.

19

195020 Upgrade Apache httpd 2.4 to 2.4.10 and 2.2 to 2.2.28 (or 2.2.27 with patches) for CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, CVE-2014-0231 Details ------- CVE-2014-0117: mod_proxy: DoS attack against a reverse proxy via a crafted HTTP Connection header. CVE-2014-0118: mod_deflate: DoS via highly compressed crafted request message body. CVE-2014-0231: mod_cgid: DoS against CGI script due to lack to timeout. CVE-2014-0226: mod_status: Heap overflow denial of service attack. Note that RiOS is not impacted by CVE-2014-0226 as it does not include the affected mod_status module. Fix --- Upgraded Apache on RiOS 8.0 and higher to fix multiple denial of service issues. Recommendation - Upgrade to patched version if applicable.

196061 Three new MAPI Command Line Interface commands are now available. You can now enable the multi-context feature for MAPI and Outlook Anywhere connections. You can also enable the multi-auth support for encrypted MAPI connections. See the SteelHead deployment guide for details. The commands are: protocol mapi encrypted multi-auth enable protocol mapi multi-context enable protocol mapi outlook-anywhr multi-context enable

196239 Fixed a problem where a lock was not properly being released in the Citrix optimization blade. This issue would result in other threads being blocked while trying to acquire the lock, which would eventually cause the watchdog timer to detect the threads as unhealthy and temporarily put the optimization service in bypass.

20

196534 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory "secadv_20140806" (CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 and others) Details ------- The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of \0 characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. Fix --- OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20140806. Recommendation - Upgrade to patched version if applicable.

21

197047 Krb5 1.9 security update for CVE-2014-4341, CVE-2014-4342, and CVE-2014-4344. Details ------- This security update addresses the following issues: CVE-2014-4341: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session. CVE-2014-4342: MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read or NULL pointer dereference, and application crash) by injecting invalid tokens into a GSSAPI application session. CVE-2014-4344: MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation. Fix --- Krb5 has been patched for CVE-2014-4341, CVE-2014-4342, CVE-2014-4344. Recommendation - Upgrade to patched version if applicable.

197150 Fixed an issue causing a service restart to become required, even though no configuration was changed, after a configuration import fails from the Web user interface.

197894 Fixed an issue to show IPs specified in the protocol domain-auth delegation rule dlg-only command show up in the show running config command output.

198228 Removed the CLI command protocol mapi skip-copy enable. The cached mode accelerator now behaves as intended without this command.

200048 When SDR adaptive is enabled (either Legacy or Advanced), use sustained CPU pressure as an alternate trigger to send resource pressure messages to a peer SteelHead.

200281 Fixed an issue that resulted in disruption of client-side optimization service when basic-dialect was enabled for SMB2 and the client negotiated an invalid SMB2 dialect. The function backtrace shows Smb::NegotiateRequest::~NegotiateRequest function on the stack.

22

200367 glibc security update for CVE-2014-5119 and CVE-2014-0475 Details ------- CVE-2014-5119: Off-by-one error in the GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. CVE-2014-0475: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable. Fix --- Glibc packages updated to fix CVE-2014-5119 and CVE-2014-0475 Recommendation - Upgrade to patched version if applicable.

200449 Fixed a problem that caused an assertion failure when optimizing encrypted Lotus Notes connections. At the point of crash, the following log message was seen on the server-side SteelHead: [assert.CRIT] - {- -} ASSERTION FAILED (lock_->held_by_me()) at /builddir/build/BUILD/sport-0.1/rbt/iocore/action.cc:50. The stack trace pointed to an assertion failure in the event system code: #2 0x0... in assert_failure(char const*, char const*, char const*, int) () #3 0x0... assert_failure(char const*, char const*, int) () #4 0x0... in ActionInternal::is_cancelled() const () #5 0x0... in NetIOChannel::handle_event(EventSource, EventType, void*, void*) () #6 0x0... in EventThread::process_pollfds(int) () #7 0x0... in EventThread::run() () The crash happened because our optimization service was performing read/write operations on an aborted TCP connection between the server-side SteelHead and the Lotus Notes server.

23

200896 CVE-2014-3535: Linux kernel Vxlan NULL pointer deference flaw Details ------- CVE-2014-3535: The Linux kernel before 2.6.36 incorrectly uses macros for netdev_printk and its related logging implementation, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) by sending invalid packets to a VxLAN interface. Fix --- Patched the Linux kernel to fix CVE-2014-3535 Recommendation - Upgrade to patched version if applicable.

201032 Fixed an issue for which multiple pools of connections between Steelheads could be created depending on the path-selection configuration. With the fix, the number of connection pools established between Steelheads does not depend on path-selection configuration anymore.

201486 Fixed an issue that disallowed the hextets of IPv6 addresses for the Delegate-Only and Delegate-All-Except lists from having leading zeroes.

201789 Fixed an issue where the CLI command show usernames returns "No user accounts found" when used with TACACs per-command authorization.

202439 Enabling and disabling REST API access now requires Read-Write permission to the General Settings role.

202528 Fixed an issue that caused the image fetch to timeout after 5 minutes and fail with some SSH servers. The timeout occurs with SSH servers configured to prompt "Password:". For OpenSSH this behavior occurs when the "ChallengeResponseAuthentication" setting is yes.

202568 Fixed an issue such that if the user does not have permission to run the stats restore and stats restore continue CLI commands, they are now properly marked as permission denied (with a trailing asterisk).

202700 Fixed an issue that ensures that the ADSI attribute editor no longer throws an error when SteelHead has joined win2k8-mode (rodc mode).

24

202825 Fixed an issue that prevented Role Based Management users from changing their passwords on the WebUI My Account page. Changing their password would fail with the error message "The current password entered does not match the user's actual current password". This error would only occur when account control was enabled, and Minimum Character Difference Between Passwords was set to 0. The WebUI would not allow users to enter their old password while the system was incorrectly requiring them to still enter it.

202898 CVE-2014-6271, CVE-2014-7169: Bash Code Injection Vulnerability via Specially Crafted Environment Variables Details ------- CVE-2014-6271: A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. CVE-2014-7169: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. Refer to this knowledge base article for detailed information on the impact of this vulnerability on Riverbed products and services: https://supportkb.riverbed.com/support/index?page=content&id=S24997 Fix --- The Bash component was updated in Riverbed products and services to fix the "ShellShock" vulnerability (CVE-2014-6271, CVE-2014-7169) As a part of this update, the following related issues were also fixed: CVE-2014-6277 CVE-2014-6278 CVE-2014-7186 CVE-2014-7187 Recommendation - Upgrade to the appropriate patched versions of software as listed in the above KB article.

203852 Corrected logic where the line length limit was not properly being applied.

25

204069 Added missing help text for show authentication and show tcpdump commands.

204080 Fixed a problem with Discovery Agent and agent-intercept mode optimization on long network paths with many hops. Auto-discovery could have failed (leading to pass-through connections) due to auto-discovery packets not reaching the client-side SteelHead. The TTL on auto-discovery packets was being reused from the previous packet on the flow, causing the TTL to reach zero faster than the actual number of hops the packet traverses.

204264 To access the Alarm Status page, the Role Based Management (RBM) user must now have read/write access to the product-specific diagnostic role. On SteelHead this is Basic Diagnostics. On CMC or SMC it is respectively CMC or SMC Diagnostics.

204269 New Feature: Updated time zone information to 2014h. This includes updated time zones for Russia that went into effect on October 26th, 2014.

204870 Enhanced the error message logged when optimization service cannot be enabled if none of the in-path interfaces has an IPv4 address configured.

205540 Fixed a problem where uploading of configuration files would sometimes not replace the configuration on the server if the file already existed. This issue was due to the functionality that permitted uploading of large files to continue where they left off if the connection was lost. It would not transfer a file if one of the same size already existed on the remote server. In the case of configuration files, it is possible for minor configuration changes to cause the file size to stay the same.

26

205665 Upgrade to OpenSSL 1.0.1j/1.0.0o to patch OpenSSL security vulnerabilities (libs used by sport) Details ------- The OpenSSL security advisory https://www.openssl.org/news/secadv_20141015.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2014-3566: Some client applications (such as browsers) reconnect using a downgraded protocol to work around interoperability bugs in older servers. This issue could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566). Fix --- OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20141015. Recommendation - Upgrade to patched version if applicable.

27

205667 Upgrade OpenSSL to 1.0.1j for security advisory "secadv_20141015": CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 Details ------- This update addresses the following issues: CVE-2014-3566 (POODLE attack): The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. CVE-2014-3567 (Session ticket memory leak): A flaw in the session ticket integrity check mechanism allows an attacker to cause a denial of service attack by sending a large number of invalid session tickets. CVE-2014-3568 (Incomplete no-ssl3 build option): When OpenSSL is configured with "no-ssl3" as a build option, the option was effectively ignored, and SSL 3.0 was still allowed. Fix --- OpenSSL has been updated to address CVE-2014-3566, CVE-2014-3567 and CVE-2014-3568. This update also includes a fix for CVE-2014-3513, though RiOS is not impacted by it. Recommendation - Upgrade to patched version if applicable.

205746 In a SteelHead that has more than 500 optimized connections, a memory leak may happen in the process mgmtd when loading the current connection report. This memory leak issue has been resolved in this bug.

205927 CVE-2014-3660: libxml2: denial of service via recursive entity expansion Details ------- Libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. Fix --- Upgraded libxml2 package to address CVE-2014-3660. Recommendation - Upgrade to patched version if applicable.

28

217618 Fixed the issue where probes from the parent SteelHead were never path-selected and hence not encrypted through Secure Transport. This behavior was intentional by Path Selection's design for satisfying the use case of a typical middle SteelHead in a deployment. Since this fix is not available in 9.0.0, Secure Transport Concentrator mode is not available in this release. This functionality is controlled by a CLI command, but a hybrid networks push from the SCC enables this configuration automatically.

220361 Fixed a problem for customers entering IBM Domino server id files for Domino servers that contain an ampersand (&) in their names. Without this fix, the customer would experience the following symptoms: 1) For Domino servers with names containing XML special characters and whose server IDs were entered in the SteelHead Lotus Notes optimization configuration, the listing of the server in the Encryption Optimized Servers would not contain characters past and including the special character. For instance, if a Domino server had the following name (note the '&' XML special character in the OU): CN=my_server/OU=&eng/O=Riverbed The display would only show: CN=my_server/OU= 2) Also, when a Notes connection was intercepted by the SteelHead whose server name contained an XML special character, the server id entered by the customer was not recognized, resulting in the server being placed in the unoptimized IP address list. Connections for this server would be optimized as NOTES but not as NOTES-ENCRYPT. For reference, the XML special characters that would impact this are: & < > ' """

4) KNOWN ISSUES 123809 Cloud Portal does not disassociate a license from Cloud SteelHead when the

command to release is performed only on the SteelHead Remove License or no license client init operation performed on a Cloud SteelHead does not release the license on the portal. To do so on the Cloud Portal navigate to the Appliances tab; click the appliance from which the license needs to be reclaimed; and click Reclaim License from Appliance. This fix makes the license available for use again on the Cloud Portal.

154426 In very rare circumstances, the optimization service aborts due to an infinite loop when processing CIFS reads.

29

164780 For customers who use Path Selection, Quality of Service, NetFlow DPI, or Application Visibility, SMB2 connections may be reported as CIFS on the Current Connections report. There is not yet a workaround for customers who use any of these four features. The issue is to be fixed in version 9.0.1.

187856 Path Selection does not work for in-path interfaces on which the optimization service has been disabled. After the optimization service on an in-path interface has been disabled, reboot or power cycle the appliance.

195507 A SteelHead is not reachable for Path Selection from remote peers if its optimization service is disabled.

195691 Under certain conditions, TCP acknowledgement is not sent during connection kickoff.

197021 The SteelHead periodically fails to send NetFlow messages to the collector under rare conditions of heavy load. Following error message in the syslog is a symptom of this issue: "unable to send flow packet: [11]: Resource temporarily unavailable" Increase the UDP socket buffer size available for NetFlow exports.

198015 The SteelHead cannot be managed by the SteelCentral Controller for SteelHead (versions 9.0.0 and above) when requisite management channels are not established. "SCC versions 9.0.0 and above require two channels to the appliance: an SSH channel and an HTTPS channel. The status of these channels can be viewed on the SteelHead terminal with the command show scc. A sample output of this command is shown below: amnesiac > show scc Auto-registration: Enabled HTTPS connection (to the CMC): Status: Connected Hostname:bravo-sh378 SSH connection (from the CMC): Status: Connected Hostname: bravo-sh378 (10.5.39.87) When the host for the HTTPs and SSH connection is different or both the channels do not have "Connected" status, the appliance cannot be fully managed by the SCC. In order to connect a SteelHead to the SCC, you can use the command scc hostname in configure mode to establish the connections. If both connections show "Connected" to two different SCCs, remove the appliance from the Manage -> Appliances page on the SCC that is incorrect and update the appliance username and password on the correct SCC. If the SCC hostname was never configured on the appliance, the appliance tries to connect to the host riverbedcmc. Make sure to update your DNS to point the hostname riverbedcmc to the correct SCC which is managing the Appliance.

30

199317 QoS and DPI reporting on the Profiler will not function with data collected from SteelHeads running RiOS 9.0. No workaround is available at this time. Report functionality will be restored with a future SteelHead release.

200056 In a very rare case when flow collectors are configured and the primary interface's IP address is changed during appliance boot-up, a lot of error messages of "[netflow.ERR] - {- -} uninitialized socket error in send" could be seen in the syslog. If a lot of error messages "[netflow.ERR] - {- -} uninitialized socket error in send" are seen in the syslog, removing and readding the flow collectors can resolve the issue.

204223 During the initial boot process, customers might see an error log from stp_client about not being able to retrieve site ID from appflow service. The secure transport client service(stp_client) is designed to retry on such failures. These are innocuous log messages and can be ignored as long as stp_client service is successful in retrieving the site ID from appflow on a subsequent retry.

204386 A warning message is displayed in the logs about MSPEC licenses expiring during Virtual SteelHead startup. The warning is invalid and can be ignored.

217580 Excessive memory consumption can be experienced when configuring about 200 topology sites. This behavior can lead to high swapping activity and system slowdown on low-end SteelHead models (1050M). Disable Inbound and Outbound QoS before configuring the sites. Enable QoS again after all the sites have been configured.

217732 During appliance boot-up, as various services are starting in the appliance, sometimes a user cannot log in and sees a message saying, "Unable to sign in: Failed obtaining authorization data for user." Wait a few moments, and try again.

219862 SteelHeads with CCX licenses in Azure and ESX show incorrect license parameters on UI SteelHeads with CCX licenses in Azure, and ESX displays incorrect license parameter values on the Licenses page. Do not refer to the bandwidth and connection limit numbers displayed there. Refer to the published official model specs document instead.

220172 After upgrading and restarting an appliance that uses TACACS authentication, the Web user interface may be unavailable for a few minutes. It appears available but indicates that authentication failed. Retry the login after 2 minutes.

221213 With the 9.0.0 release sysdumps are known to take more time than in previous releases. This is caused by more information being collected to help improve effectiveness of the data in troubleshooting issues along with new feature data being gathered. There is no workaround.

221755 With secure transport enabled, Control channel connection towards 'stp.controller' is in "CONNECTION_FAILED" state on SteelHead and a crash from yarder_core process on function ConnectionMgmt._establish_websocket_connection is observed in logs. The workaround is to restart yarder_core process. CLI Command for the same, # pm process yarder_core restart

31

5) UPGRADING THE RIOS SOFTWARE VERSION Review the SteelHead Appliance Installation and Configuration Guide for information on upgrading the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual SteelHead Appliance Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC) COMPATIBILITY

SCC was formally known as Central Management Console (CMC). Review the SteelHead Appliance Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES Review the SteelHead Appliance Installation and Configuration Guide for information on hardware and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead Appliance Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

8) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation, browse our library of Knowledge Base articles and manage your account. To open a support case, choose one of the options below.

Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial +1 415-247-7381.

Online You can also submit a support case online

Email Send email to support@riverbed.com. A member of the support team will reply as quickly as possible.

2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.

32

RIVERBED PRODUCT RELEASE NOTES1) Supported SteelHead Models2) New Features in RiOS 9.0.03) Fixed Problems4) Known Issues5) Upgrading the RiOS Software version6) SteelCentral Controller for SteelHead (SCC) Compatibility7) Hardware and Software dependencies8) Contacting Riverbed Support1) Supported SteelHead Models2) New Features in RiOS 9.0.03) Fixed Problems4) Known Issues5) Upgrading the RiOS Software version6) SteelCentral Controller for SteelHead (SCC) Compatibility7) Hardware and Software dependencies8) Contacting Riverbed Support