Vulnerabilities have been detected in the Linux kernel that require a kernel upgrade. For more information, visit the Advanced Research Center.

To apply the latest security updates, upgrade the Linux Operating System kernel and application packages manually on the TIE Server appliance, as described below.

IMPORTANT: The following procedure has been tested with the packages specified. Implementation of this fix with other versions might fail and is not supported.

Upgrade the Linux Operating System kernel to the latest version:

NOTE: Schedule a down time for the Linux Operating System kernel upgrade process.

1. Download the mkinitrd and vmid packages from the Linux Operating System repository.
2. If you're running on Bare Metal with an Intel microchip, download the Intel microcode package from the Linux Operating System repository.
3. Download the kernel packages from the Linux Operating System repository.
4. Copy the RPMs downloaded in the previous step to the TIE Server appliance.
5. Connect to the appliance using SSH and switch to the root user with the following command:
   
   $ su -
    
6. Change the directory to the location where the RPMs are copied.
7. To install them, type the following commands:
   
   NOTES: 
   • If you're not running on Bare Metal with an Intel microchip, Steps c and d aren't needed.
   • Make sure that you use the correct kernel package that you downloaded.
      
   1. Confirm that mkinitrd is already upgraded:
      
      rpm -qa mkinitrd
       
   2. If the downloaded mkinitrd version isn't installed, upgrade it:
      
      rpm -Uvh --checksig vmid-1.0-1.mlos2.x86_64.rpm mkinitrd-6.1-42.mlos2.x86_64.rpm
       
   3. Confirm whether the downloaded Intel® microcode or a newer one is already installed:
      
      rpm -qa | grep intel-ucode
       
   4. If the downloaded intel-ucode or a newer one is not installed, type the following command to install it: 
      
      rpm -Uvh --checksig --nopost --nodeps intel-ucode-20191115-4.mlos2.x86_64.rpm​
       
   5. Confirm whether the downloaded kernel or a newer one is already installed:
      
      rpm -qa | grep kernel
       
   6. If the downloaded kernel or a newer one is not installed, type the following command to install it: 
      
      NOTE: Depending on the current Linux Operating System kernel in use, you might see some harmless warnings.
      
      rpm -ivh kernel-4.9.206-1.mlos2.x86_64.rpm
       
8. After upgrade is complete, verify that the new kernel is installed and selected as the default with the following command:
   
   cat /boot/grub/grub.conf
   
   Example of the output you see: ​

 

9. To complete the process, reboot the appliance with the following command:
   
   reboot

Upgrade the OpenSSL library to the latest version:

1. To determine which version of the package is installed, type the following command:
   
   $ rpm -qa openssl
    
2. If an upgrade is needed, download the latest packages from the Linux Operating System repository.
3. Copy the RPMs downloaded in the previous step to the TIE Server appliance.
4. Connect to the appliance using SSH and switch to the root user with the following command:
   
   $ su -
    
5. Change the directory to the location where the RPMs are copied.
6. To install them, type the following command:
   
   rpm -Uvh --checksig openssl-1.0.2u-2.mlos2.x86_64.rpm openssl-libs-1.0.2u-2.mlos2.x86_64.rpm
    
7. Reboot the TIE Server with the following command:
   
   reboot
    
8. Verify that the TIE services are healthy:
   1. Open the ePO console.
   2. Click Menu, Configuration, and select Server Settings.
   3. Select the TIE Server Topology Management section.
   4. Verify the DXL, ATD, and GTI connectivity status of each TIE Server instance.

Upgrade the OpenSSH library to the latest version:

1. To determine which version of the package is installed, type the following command:
   
   $ rpm -qa openssh
    
2. If an upgrade is needed, download the latest packages from the Linux Operating System repository.
3. Copy the RPMs downloaded in the previous step to the TIE Server appliance.
4. Connect to the appliance using SSH and switch to the root user with the following command:
   
   $ su –
    
5. Change the directory to the location where the RPMs are copied.
6. To install them, run the following command:
   
   rpm -Uvh --checksig openssh-7.4p1-17.mlos2.x86_64.rpm openssh-server-7.4p1-17.mlos2.x86_64.rpm openssh-clients-7.4p1-17.mlos2.x86_64.rpm
    
7. Reboot the TIE Server using the following command:
   
   reboot
    
8. Verify that the packages are updated successfully by restarting the SSH connection.

Troubleshooting:
If the TIE Server fails to boot after the Linux Operating System kernel upgrade:

1. Reboot the system. In the boot menu, select the previous Linux Operating System kernel.
2. After you boot the TIE Server with the old Linux Operating System kernel, collect a MER and contact Technical Support.