Eventparser.exe and Apache.exe crashes frequently, faulting module name: ccme_base.dll is reported after you upgrade to ePO 5.10 SP1
Technical Articles ID:
KB96464
Last Modified: 2023-05-09 17:44:56 Etc/GMT
Last Modified: 2023-05-09 17:44:56 Etc/GMT
Environment
ePolicy Orchestrator 5.10 Service Pack 1 (ePO 5.10 SP1) - Build 4067
ePolicy Orchestrator 5.10 Service Pack 1 Update (ePO 5.10 SP1 CU) - Update tool build 1352
ePolicy Orchestrator 5.10 Service Pack 1 Update (ePO 5.10 SP1 CU) - Update tool build 1352
Problem
The Eventparser.exe and Apache.exe experience repeated application crashes.
The Windows Event Viewer records the following application crash events:
Application Error Application Crashing Events 1000 N/A EPOSERVER Faulting application name: eventparser.exe. version: 5.10.0.4067. time stamp: 0x6425c1be Faulting module name: ccme_base.dll. version: 4.1.4.0. time stamp: 0x5c6f90c3 Exception code: 0xc0000005 Fault offset: 0x000220fd Faulting process id: 0x1530 Faulting application start time: 0xeventparser.exe0 Faulting application path: eventparser.exe1 Faulting module path: eventparser.exe2 Report Id: eventparser.exe3 Faulting package full name: eventparser.exe4 Faulting package-relative application ID: eventparser.exe5 None
Application Error Application Crashing Events 1000 N/A EPOSERVER Faulting application name: apache.exe. version: 2.4.56.0. time stamp: 0x64101dad Faulting module name: ccme_base.dll. version: 4.1.4.0. time stamp: 0x5c6f90c3 Exception code: 0xc0000005 Fault offset: 0x000220fd Faulting process id: 0x1d84 Faulting application start time: 0xapache.exe0 Faulting application path: apache.exe1 Faulting module path: apache.exe2 Report Id: apache.exe3 Faulting package full name: apache.exe4 Faulting package-relative application ID: apache.exe5 None
During Eventparser service start-up, the eventparser_<systemname>.log records the following errors:
I #09264 EVNTPRSR Initializing Server... I #09264 EVNTPRSR Database initialization: Starting. I #09264 NAISIGN Found master install key, decoding I #09264 MFEFIPS Loading: "C:\PROGRA~2\McAfee\EPOLIC~1", Role = Officer, Mode = Normal E #09264 MFEFIPS mfefips_Initialize.cpp(55): Exception class BSAFE::Exception, what()=BSAFE Error (10027), file=bsafe_CryptoLib.cpp, line=173 E #09264 NAISIGN RSAMgr.cpp(86): Error initializeing MFEFIPS library: 0x0000272B E #09264 MFEFIPS mfefips_SymmetricKeyLoad.cpp(33): Exception class BSAFE::Exception, what()=BSAFE Error (10013), file=bsafe_CryptoLib.cpp, line=49 E #09264 NAISIGN naisign.cpp(2941): Error initializing symmetric key. E #09264 EVNTPRSR D:\BUILD_1249089\BUILD\ePO\dev\src\server\include\ePOData.inl(445): Missing DB connection info in C:\PROGRA~2\McAfee\EPOLIC~1\Server\conf\orion\DBFAC3~1.PRO E #09264 EPODAL ePOData_Connection.cpp(393): Error 0x80000008 returned from credentials callback. Database NOT available E #09264 EVNTPRSR D:\BUILD_1249089\BUILD\ePO\dev\src\server\include\ePOData.inl(474): Database initialization: Failed (hr=0x80000008). E #09264 EVNTPRSR source\servinit.cpp(167): Failed to initialize database layer. Cannot continue. I #09264 EVNTPRSR EventParser Stopped.
I #02760 MOD_EPOREPO Database initialization: Starting. I #02760 NAISIGN Found master install key, decoding I #02760 MFEFIPS Loading: "C:\PROGRA~2\McAfee\EPOLIC~1", Role = Officer, Mode = Normal I #02760 MFEFIPS Module Initialized.
I #02760 MFEFIPS MFEFIPS_Status() returned 1 E #02760 MFEFIPS mfefips_SymmetricKeyLoad.cpp(33): Exception class BSAFE::Exception, what()=BSAFE Error (10013), file=bsafe_CryptoLib.cpp, line=49 E #02760 NAISIGN naisign.cpp(2941): Error initializing symmetric key. \E #02760 MOD_EPOREPO D:\BUILD_1249089\BUILD\ePO\dev\src\server\include\ePOData.inl(445): Missing DB connection info in C:\PROGRA~2\McAfee\EPOLIC~1\Server\conf\orion\DBFAC3~1.PRO E #02760 EPODAL ePOData_Connection.cpp(393): Error 0x80000008 returned from credentials callback. Database NOT available E #02760 MOD_EPOREPO D:\BUILD_1249089\BUILD\ePO\dev\src\server\include\ePOData.inl(474): Database initialization: Failed (hr=0x80000008). E #02760 MOD_EPOREPO mod_eporepo.cpp(216): Failed to connect to database, shutting down repository module, system error 0x80000008
The Windows Event Viewer records the following application crash events:
Application Error Application Crashing Events 1000 N/A EPOSERVER Faulting application name: apache.exe. version: 2.4.56.0. time stamp: 0x64101dad Faulting module name: ccme_base.dll. version: 4.1.4.0. time stamp: 0x5c6f90c3 Exception code: 0xc0000005 Fault offset: 0x000220fd Faulting process id: 0x1d84 Faulting application start time: 0xapache.exe0 Faulting application path: apache.exe1 Faulting module path: apache.exe2 Report Id: apache.exe3 Faulting package full name: apache.exe4 Faulting package-relative application ID: apache.exe5 None
During Eventparser service start-up, the eventparser_<systemname>.log records the following errors:
I #02760 MFEFIPS MFEFIPS_Status() returned 1
System Change
You installed or upgraded to ePO 5.10 SP1 using either the ePO 5.10 SP1 or ePO 5.10 SP1 CU package on a system with a CPU that has SHA-NI extensions enabled.
You can use this information as a guideline to determine if SHA-NI extensions are available on the CPU for the system hosting ePO:
NOTE: This information is provided on a best-effort basis. Contact the vendor for your system to definitively determine if SHA-NI CPU extensions are enabled.
Intel®
The following Intel processors support the SHA instruction set:
The following AMD processors support the SHA instruction set:
You can use this information as a guideline to determine if SHA-NI extensions are available on the CPU for the system hosting ePO:
NOTE: This information is provided on a best-effort basis. Contact the vendor for your system to definitively determine if SHA-NI CPU extensions are enabled.
Intel®
The following Intel processors support the SHA instruction set:
- Intel Goldmont and later Atom microarchitectures processors—Initially released in Q4 2017.
NOTE: This series of processors was developed for low-cost devices such as tablets and low-end PCs, and is unlikely to be used by an ePO server. - Intel Ice Lake and later processors—Initially released Q2 2021.
- Intel Rocket Lake and later processors—Initially released Q1 2021.
The following AMD processors support the SHA instruction set:
- AMD Zen and later processors—Initially released Q1 2017.
Cause
An issue in the BSAFE crypto library when used on a system with a CPU that has SHA-NI extensions enabled results in an application crash when initializing the library. As both ePO handler services use this library to decrypt the password hash for the database, this issue leaves both the Apache and Eventparser services inoperable.
Solution
We have released a refreshed build of both ePO 5.10 Service Pack 1 and ePO 5.10 Service Pack 1 Update which addresses this issue. If your current ePO 5.10 server is at build 5.10.0.4067 then you can upgrade it to the build 5.10.0.4098 using the following instructions, regardless of what upgrade path you used to arrive at 5.10.0.4067.
Simplified Instructions:
Verbose Instructions:
NOTE: Only follow these instructions if you required more detailed steps than the simplified instructions provided.
Step 1 — Identify your current ePO 5.10 build number:
NOTE: You have to repeat the following instructions on all remote agent handlers if you have any.
Simplified Instructions:
- Verify your ePO 5.10 build number is 5.10.0.4067.
- Download the refreshed release of ePO 5.10 SP1 Update package. The filename name is ePO_5.10.0_1359_ServicePack1Update.zip. For more information about the package download instructions, see KB56057 - How to download product updates and documentation.
- Run the update in repair mode on your ePO server as well as any remote agent handlers in the environment.
- Verify your ePO 5.10 build number is now 5.10.0.4098.
Verbose Instructions:
NOTE: Only follow these instructions if you required more detailed steps than the simplified instructions provided.
Step 1 — Identify your current ePO 5.10 build number:
- Log on to the ePO console.
- Go to Menu, Configuration, Server Settings.
- Select Server Information.
- Review the build number in the Version column.
- Restore the ePO database if it isn't already hosted on the SQL server. For help, see KB52126 - How to back up and restore the ePolicy Orchestrator database using SQL Server Management Studio for details.
- Run the following query against your ePO database. For help, see KB67591 - How to run a SQL script provided by Technical Support against the ePolicy Orchestrator database.
select [Version] from OrionExtensions where [Name] = 'EPOCore'
- Note the value returned. This will be the build number for the ePO server associated with that database.
NOTE: You have to repeat the following instructions on all remote agent handlers if you have any.
- Download the refreshed release of ePO 5.10 SP1 Update package. The filename name is ePO_5.10.0_1359_ServicePack1Update.zip. For more information about the package download instructions, see KB56057 - How to download product updates and documentation.
- Extract the package.
- Stop all ePO services.
- Run ePOUpdater.exe.
- Enter your SQL credentials, accept the license agreement and click Continue.
- Click Previously Installed Updates.
- Click Repair.
- Click Finish once the install completes.
- Follow the instructions in Step 1 above to validate that the build number is now ePO 5.10.0.4098.
Related Information
Frequently Asked Questions
If I have already upgraded to or installed ePO 5.10 SP1 and I am not experiencing this issue, do I need to take any action?
Not at this time. If you are not experiencing the issue immediately upon upgrading to or installing ePO 5.10 SP1, you will not experience the issue unless you migrate ePO to a system which has CPU support for SHA-NI extensions enabled.
Does this issue only occur when upgrading ePO to SP1?
No. This issue can occur during a new install or an update to ePO 5.10 SP1 using either the ePO 5.10 SP1 or ePO 5.10 SP1 CU package.
I'm concerned about the vulnerabilities addressed by ePO 5.10 SP1. What should I do?
Contact support by opening a Service Request. We can release the ePO 5.10 SP1 package to you if your ePO server is not using a CPU with SHA-NI extensions enabled. Alternatively, we can provide ePO 5.10 SP1 and the hotfix when it is available
Can this issue impact virtualized machines?
Yes.
Not at this time. If you are not experiencing the issue immediately upon upgrading to or installing ePO 5.10 SP1, you will not experience the issue unless you migrate ePO to a system which has CPU support for SHA-NI extensions enabled.
Does this issue only occur when upgrading ePO to SP1?
No. This issue can occur during a new install or an update to ePO 5.10 SP1 using either the ePO 5.10 SP1 or ePO 5.10 SP1 CU package.
I'm concerned about the vulnerabilities addressed by ePO 5.10 SP1. What should I do?
Contact support by opening a Service Request. We can release the ePO 5.10 SP1 package to you if your ePO server is not using a CPU with SHA-NI extensions enabled. Alternatively, we can provide ePO 5.10 SP1 and the hotfix when it is available
Can this issue impact virtualized machines?
Yes.
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Affected Products
Languages:
This article is available in the following languages:
