Installing Security Patches in ZENworks Reporting

  • Document ID:7022465
  • Creation Date:15-Dec-2017
  • Modified Date:21-Feb-2019
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

ZENworks Reporting Server 2017

Situation

Installing Security Patches in ZENworks Reporting

Resolution

Pre-requisite:

1.       Before applying security updates, please ensure that you back up the ZENworks reporting server. For information, see Backing Up the ZENworks Reporting (https://www.novell.com/documentation/zenworks-2017-update-1/zen_zr_appliance/data/b1g8v344.html).

2.       It is also mandatory to take a snapshot of the virtual machine to save the state and data of the machine at the current time.

3.       It is mandatory that customer tries to import the public key first and then register to NCC. For Customers who are already registered to NCC, it is mandatory to import the public key and then perform a Refresh.

4.       A public key is required to update security patches into ZENworks Reporting server, which is used to authenticate the signed repositories. To import the public key:

a.       Download the repomd.xml.key from the Micro Focus Download site https://download.novell.com/Download?buildid=-qqyBij6lTw~

b.      Open a terminal on ZRS Appliance console and execute the rpm --import <path of the key> command.

For example, if the key is saved in localhost temp directory (/tmp/repomd.xml.key), then execute the rpm --import /tmp/repomd.xml.key command.

c.       This step needs to be performed only once and would enable download of security updates on ZENworks Reporting Appliance.

 

Applying Online Updates:

·         For applying Online updates, please refer to below documentation:

Online Update (https://www.novell.com/documentation/zenworks-2017-update-1/zen_zr_appliance/data/onlineupdate.html)

·         After clicking on Update now, Please select both the below options while updating, to apply patches successfully.

o    Automatically agree with all license agreements.

o    Automatically install all interactive patches)

·         At the end of the update, there is a message displayed showing the list of downloads and updates. It is recommended to read and accept the dialog. This is just a FYI note.

·         After applying Updates, please restart the Appliance.

Product Updates

As part of currently available security update, ZENworks Reporting will be upgraded from version 6.2.1 to version 6.2.3.  Following security vulnerabilities are fixed in this update:

·         JasperReports Server cross-site vulnerabilities: CVE-2017-5528
Impact: The vulnerability includes the theoretical disclosure of sensitive information.
CVSS v3 Base Score: 5.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

·         JasperReports Library Information Disclosure: CVE-2017-5529
Impact: This vulnerability includes the theoretical disclosure of any accessible information from the host file system.
CVSS v3 Base Score: 4.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N)

Important:

 

·         The Update size is around 1GB. So when applying patches from MFCC directly it takes a minimum of half an hour to download and then install. It is mandatory to perform this in a network with Good Strength. Online Update might fail if Network strength is not good which eventually causes timeout issue.

·         While applying patches, occasionally zypper pid gets locked. This does not affect the update. However, it is required to perform a machine restart to proceed in applying patches.

·         If your database server is Microsoft SQL Server, after upgrading to ZENworks Reporting 6.2.3, reconfigure the Reporting Server to get and use the latest Drivers. For information, see Reconfiguring ZENworks Reporting (https://www.novell.com/documentation/zenworks-2017-update-1/zen_zr_appliance/data/b1dm86if.html).

·         If a new 6.2.3 Appliance is being brought up, in order to import reports from 5.6.1, please follow the below documentation:

 To import the ZENworks Reporting exported file in ZENworks Reporting 6.2.3 use the CLI method. For information about CLI method, see Managing the Import Settings(https://www.novell.com/documentation/zenworks-2017-update-1/zen_zrs_reference/data/i1090241.html#b16jku43) in ZENworks Reporting System Reference Guide(https://www.novell.com/documentation/zenworks-2017-update-1/zen_zrs_reference/data/bookinfo.html#bookinfo). However import and export (Manage > Server Settings > Settings) will work in the UI method for the same ZENworks Reporting release version.                

Cause

Signature verification failed for repomd.xml because ZRS appliance doesn't have the latest "key" . 

Additional Information

Errors encountered in the logs if repomd.xml is not up to date

ZRS failure to Register Online Updates.
RPC Communication Error: Status code: 500

Logging errors:

/var/opt/novell/va/logs/suse_register.log will display similar errors:
File 'repomd.xml' from repository 'ZRS-Appliance-6-SP2-Product' is signed with an unknown key 'A258EA4AAFE68DCA'
2018-06-19 18:46:24 SUSE::SRPrivate - [debug1]  Refresh failed(34): Refreshing service 'nu_novell_com'.
2018-06-19 18:46:24 SUSE::SRPrivate - [error]  Repository 'ZRS-Appliance-6-SP2-OS' is invalid.
2018-06-19 18:46:24 SUSE::SRPrivate - [error]  Repository 'ZRS-Appliance-6-SP2-Product' is invalid.
...

/var/log/zypper.log – displayed many of these errors

2018-06-19 18:46:23 <5> zr2017(1972) [zypp] Exception.cc(log):137 MediaCurl.cc(evaluateCurlCode):997
THROW:    Login failed. (https://nu.novell.com/repo/$RCE/ZRS-Appliance-6-SP2-Product/sle-12-x86_64/repodata/repomd.xml.asc?credentials=NCCcredentials):
The requested URL returned error: 401 Unauthorized
...