RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX
RELEASE DATE: FEBRUARY 18, 2015
RIOS VERSION: 9.0.0A

CONTENTS

1) Supported SteelHead Models

2) New Features in RiOS 9.0.0
3) Fixed Problems
4) Known Issues
5) Upgrading the RiOS Software version
6) SteelCentral Controller for SteelHead (SCC) Compatibility
7) Hardware and Software dependencies
8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS

Important: RiOS 9.0.0a supports Riverbed CX models xx50, xx55, and xx70, and DX model
DXA-8000.

2) NEW FEATURES IN RIOS 9.0.0

Secure Transport Service

This feature enables simple, manageable group encryption for Path Selection deployments.
Automatically encrypts data regardless of the path (including optimized and nonoptimized
traffic). Secures traffic flowing between any two SteelHeads for private (MPLS) and Internet
links by directing it to a secured uplink using path selection service rules. Secure transport
uses standards-based encryption for added security and regulatory compliance.

Note: SteelCentral Controller v9.0 or higher, is required to enable and configure Secure
Transport for Path Selection.

Hybrid Network Topology, Application, and Site Definitions

RiOS v9.0 introduces a topology-oriented management approach aimed at simplifying the
configuration and administrative upkeep of Hybrid Network services. Users define a
simplified virtual representation of their network WAN topology which assists the SteelHead
and SteelCentral Controller for SteelHead (formerly the Central Management Console) to
understand connectivity relationships and WAN capacities, important for Path Selection,
Secure Transport, and QoS, as these features have site-dependent rules and dependencies.

RiOS v9.0 also changes the way users define and manage application classification criteria.
Applications are now defined as objects that users can create/edit and use in QoS and Path
Selection rules, and view in dashboards. In addition to the 1100+ Riverbed Application Flow
Engine (AFE) defined application objects, users are able to define their own custom
application objects based on any number of IP header criteria and/or AFE named
applications. Each application object include three new properties based on business-level
groupings: Application Group, functional Category, and Business Criticality level. These
properties are a useful way to organize a large number of application objects into a smaller
number of objects to manage in rules.

Streamlined QoS Configuration

This feature simplifies QoS configuration and leverages the previous basic QoS model with
the added ability to create custom QoS profiles and classes on a per-site exception basis.
This improved QoS user interface includes an easy-to-use QoS class hierarchy editor.

Enhanced Inbound QoS

Inbound QoS now supports hierarchical QoS classes. This provides more granular control
over inbound traffic usage. The same QoS rules can now be applied to both inbound and/or
outbound traffic.

QoS Migration
This release supports the option to migrate RiOS v8.5.x or v8.6.x basic and advanced QoS
configurations to v9.0 QoS profiles. However, Riverbed recommends customers to re-build
their QoS configuration rather than migrating old configuration, to take advantage of v9.0
powerful QoS profiles, application objects, simplified topology model, and path selection
features.

Note, to preserve the underlying behavior of the original QoS configuration, when migrating
legacy advanced QoS configuration the result may be an overtly verbose and sub-optimal set
of QoS profiles, classes, and topology model.

For complex QoS migration assistance, please contact your local Riverbed representative.

Easy-to-Use Path Selection Capabilities

This feature enables you to more accurately control traffic flow across multiple WAN circuits
within hybrid networks. RiOS v9.0 uses the concept of application groups to define path

2
selection rules that include the global performance for an application, including the latency
priority. Simplified configuration lets you define path selection rules for application groups
such as business bulk (file transfer applications and protocols), business critical (low latency,
transactional applications and protocols), business productivity (general business-level
applications and protocols), business standard (intranetwork traffic going within local
subnets), business video, and so on.

Expanded Exchange Server Qualifications

This feature expands Exchange 2013 server qualifications.
The qualifications include:
 All Exchange 2013 Cumulative Updates
 Windows Server 2012 R2 with Exchange 2013 SP1 (CU4)
 Win 2012 R2 with Exchange 2010 SP3
 Win 2008 R2 with Exchange 2010 SP3

Improved SMB2/3 Performance

This feature includes SMB2/3 resiliency and graceful recovery for signed and unsigned
connections from NULL pointer dereference and invalid packet handling, significantly
reducing SteelHead optimization service interruption or downtime.

SMB3.02 Support
This feature includes SMB3.02 dialect support when enabling SMB3 on a SteelHead.
SMB3.02 was introduced by Microsoft in Windows 8.1 and Windows Server 2012 R2.
SMB3.02 is only negotiated when systems of these operating system versions are directly
connected. SMB3.02 is qualified with SMB3.02 signed and unsigned traffic over IPv4 and IPv6
and with encrypted connections over IPv4 and IPv6. Authenticated connections between a
server-side SteelHead and a domain controller are only supported over IPv4.

SteelHead Visibility with SteelCentral AppResponse

This feature extends end-user visibility and troubleshooting to SteelHead-optimized and
nonoptimized enterprise Web and software as a service (SaaS) applications. In SteelHead-
based deployments where a SteelCentral AppResponse version 9.5 appliance is present, you
can use the SteelCentral Controller for SteelHead version 9.0 to configure the
communication between the SteelHeads and the AppResponse appliances. This integrated
solution provides visibility into a wide variety of issues such as where the service delays are
occurring on the network and how well the SteelHead is performing.

Redesigned User Experience, New Dashboard, and Streamlined Work Flows

This feature improves configuration work flows, usability, and readability. The new design
refreshes the SteelHead Management Console with these changes and more:
 The Home page is now called the Dashboard. The new Dashboard highlights the

3
 product name, appliance name, and appliance health status along with the optimized
throughput and bandwidth optimization statistics.
 The previous cascading, hierarchical menu structure is now flat to provide easier
navigation. This new structure also makes specific content more accessible.
 The new UI design focuses on the minimalist use of common controls, typography,
and flat colors for better readability and attractiveness.

Improved User Permissions Page

This feature includes permission for all other Role Based Management (RBM) roles and
permission to perform appliance administration, minimizing the need to assign an
administrator role that grants full read-write access to all areas of the appliance. The page
now merges the capability-based and role-based user tables into one Accounts table. In
addition, the default user setting has been relocated from the General Security Settings page
to the User Permissions page.

Improved SSL
This feature enhances SSL optimization performance and scalability in these ways:
 Decreases the amount of memory used per SSL connection.
 Increases the number of connections per second for a SteelHead running in the
Federal Information Processing Standard (FIPS) mode.

Improved TCP Dump Diagnostic Tool

This feature includes a more resilient SNAP length configuration from the Management
Console.

SteelHead (Virtual Edition) Performance and Benchmarking Tests

This feature provides a way to qualify and validate the performance of a target SteelHead-v
model in your virtualization environment. Tests include validating CPU performance and disk
throughput.

SteelHead (Virtual Edition) Support for ESXi 5.5

This feature updates the approved ESXi version to 5.5.

Merged SteelHead CX and SteelHead DX

This feature merges the CX and DX SteelHead models into one image; the appliance is
automatically configured to the correct product model during installation.

SteelHead SaaS - GeoDNS for Office365

SteelHead SaaS now supports GeoDNS, which enables location based optimization Office365
Outlook and Outlook Web Access (OWA) Webmail.

4
 Office365 DNS requests from users are directed to a Client Access server (CAS) closest to the
user. This may be different from where the user's mailbox is located for instance if the user
is traveling or works from a different branch, etc. This could create a condition where the
transactions between the user CAS and Mailbox incur a significantly higher latency than their
usual use case - e.g. if the user is in Melbourne trying to get email from a mailbox located in
Chicago.
GeoDNS, a feature fully supported in RiOSv9.0 overcomes this problem by detecting the user
mailbox location and mapping subsequent flows to a CAS closest to the user mailbox and
optimizing the route to that CAS leveraging Akamai’s SRIP network that finds the fastest
route to the CAS and SteelHead optimizes traffic from the user to the CAS, which then is
located at a negligible latency to the Mailbox. GeoDNS is also supported for Outlook Web
Access - Webmail and Public Folder access.

3) FIXED PROBLEMS
Problems fixed in version 9.0.0a
 223242 Fixed an issue where the help pages on the appliance dashboard were
returning 401 Unauthorized error.
 225347 Fixed a memory leak in the SSL certificate expiring alarm function.

Problems fixed in version 9.0.0a

 6206 Added CLI commands to manage SSH client-know hosts: show ssh client
known-hosts no ssh client known-host <host>
 40722 Fixed an issue where the kernel would crash while the optimization service
was starting due to a rare race condition between accessing the RiOS kernel state
and the backend resources being available.
 77755 This bug fix helps the optimization service gracefully recover when a
corruption is detected in the deduplication index by repairing the data structures that
form part of the index. This recovery occurs transparently without triggering a service
crash, connection drops, or loss of data integrity.
 86285 Updated the UI to use one tab instead of two. In the latter case a user has to
choose which tab to use based on how many files they have. The certificate and key
are available either as a single file or separate files.
 95814 Fixed a cryptic error message in the SteelHead logs to ensure that an
appropriate error message is report when SmbSigning or Encrypted MAPI fails when
NTLM is blocked on the Domain Controllers

5
 106099 Fixed an issue where Domain Controller communication is marked as lost
when the Domain Controller of a trusted domain is unreachable from the Domain
Controller of the domain to which the SteelHead is joined.
 116730 Fixed an issue where SNMP would return the incorrect speed on the primary
interface.
 123997 Fixed an issue where a disk alarm is triggered after a raid element fails.
 129100 Fixed an optimization device failure that would occur along with messages
similar to "watcher: One or more threads not responding after at least [x]s;
unhealthy threads follow."
 130193 Fixed an issue where an interface would lose a link after upgrading to 8.6.0 if
the interface speed and duplex were configured for 100 full (without using auto-
negotiation) on both the SteelHead and the connected router or switch. The fix only
applies to a configuration that is supported by the interface.
 130315 Enhanced peer name parsing logic to allow for hostnames containing
underscores to be displayed.
 138588 Removed generating a linklocal IPv6 address for interfaces with an MTU
value lower than 1280. This fix prevents the kernel error message "No buffer space
available,” because IPv6 requires MTU on an interface to be at least 1280.
 144119 RiOS software switches transparently from hardware to software
compression when an error is detected on the SDR accelerator card. This
enhancement ensures that optimization service resume compression with the SDR
accelerator card after a fixed timeout period (6 minutes), thus helping recover full
functionality in the case of transient errors like memory pressure. If the error is
determined to not be transient (10 or more failures in a 2-hour period), the service
switches entirely to software compression.
 144777 Fixed an issue where the reboot reason was not retrieved correctly on
SteelHead CX 255 as the HWMON driver was loaded before gathering the reboot
reason.
 144891 In some rare cases when a sysdump is started on a SteelHead with SteelHead
Cloud Accelerator enabled, the SteelHead becomes less responsive and its CPU usage
is high with the following repetitive error messages in the logs:
Jul 15 14:53:54 mySH apprep_riverbed[5501]: [apprep_riverbed.ERR]:
Could not write to 8: Connection refused

 146046 Inbound QoS has been modified to limit processing too many packets in a
single pass. This prevents the watchdog from timing out and causing a reboot.
 146431 Fixed an issue where under certain circumstances, the system may fail to
properly distribute interrupt load across all CPU cores, resulting in symptoms like
packet drops or CPU alarms. Fixes have been made to the IRQ balancing mechanism
to correct this problem.

6
 147174 Enhanced NetFlow flow records to indicate to CascadeFlow collectors that
the SteelHead interface data exported may be incorrect in virtual in-path deployment
or when Path Selection is enabled.
 147363 Fixed an issue that resulted in a crash of the rcud process during high CPU
and disk load on the SteelHead.
 148619 Fixed a severe SSL CPS performance degradation issue when the FIPS mode is
enabled on the SteelHead. The performance degradation was due to heavy use of
certain FIPS locks used by OpenSSL. The fix avoids read operations on FIPS locks to
improve performance safely.
 149216 Fixed an issue where opening a continuous log window could prevent a user's
Web UI session from timing out. A timeout occurs either after the inactivity delay set
in Web Settings or five minutes after the main window or tab is closed, whichever
comes first.
 150102 Fixed memory leak that may occur if non-SSL traffic flows over SSL ports.
 150211 Implemented a cache to store the disk's branding information, so it can be
retrieved once and future retrievals will be efficiently served by the cache. The cache
is enumerated when the disk appears and is cleared when the disk disappears from
the system.
 150658 Fixed an issue where the optimization service could crash if an optimized
Outlook Anywhere connection is closed while is it processing HTTP request or
response headers.
 151040 Fixed a race condition during delegation configuration to avoid process
restart.
 151996 For Path Selection, the outputs for CLI commands show connection and
show flow now mark paths used for the inner connection pool with an asterisk (*) to
help differentiate those paths from the paths that were used for the queried
connection.
 152355 Updated code to handle a zero length LOCK request.
 152519 Fixed an issue that caused the Group Policy Management Console application
to crash on Windows 2012 servers. With the fix, Active Directory Settings are
correctly configured to ensure that a sever object is created for the server-side
Steelhead and it's serverReference attribute is correctly set in the LDAP database
when the SteelHead is joined in Windows 2008 Active Directory Integrated mode
 153082 Fixed an issue that caused a crash of the optimization service at
Smb2::ClientParser::process_TreeDisconnectResponse(). The crash was due to an
attempt to update metadata in an unoptimized node during Tree Disconnect
operation. The crash is likely to occur in
Smb2::ClientParser::process_SessionLogoffResponse() as well due to similar attempts
made during Sessions Logoff operation. The fix adds checks to avoid updating
metadata in unoptimized nodes.

7
 153178 The Application Visibility process "collectord" crash has been fixed. The crash
was due to memory exhaustion during high load.
 154088 This bug fixes a crash in RiOS resulting from a failure to compress of a specific
data pattern. The failure is caused due to incorrect sizing of an output buffer. This fix
makes sure the output buffer is big enough to handle such scenarios.
 154381 Fixed an issue where a closing TCP connection which was simultaneously
open by the SteelHead and any other device in the network would result in a RiOS
kernel crash. The fix gracefully handles this condition by initializing the TCP
connection state to the correct value to prevent service disruption.
 154501 Fixed an issue where in a connection forwarding setup, the optimization
service crashes while shutting down if the neighbor service goes down
simultaneously.
 154841 Fixed an issue where non-ASCII usernames can result in the Domain
Communication alarm being raised for Signed-SMB or Encrypted MAPI connections.
 155008 Improved the warning message when using ALL_IP as the source or
destination subnet for fix target in-path rules.
The new message recommends "Use All-IPv4 instead of All-IP with IPv4 target
appliances" and "Use All-IPv6 instead of All-IP with IPv6 target appliances."
 155253 Fixed an issue that ensures that the ADSI attribute editor no longer throws an
error when SteelHead has joined win2k8-mode (rodc mode).
 155336 Fixed an issue where the disk space for logs became full after collecting
Application Visibility stats. The system now dynamically scales back Application
Visibility granularity thresholds when low disk space is detected.
 155940 HTTP Latency optimization was bypassed on large chunk encoded transfers,
by design, with the intent that large transfers would not benefit from latency
optimization. This limit has been removed as it has been found to inhibit beneficial
optimizations on subsequent transactions.
 156182 Fixed a potential but unlikely issue where the system shutdown could take
more than 20 minutes.
 157078 Upgrade BIND named from 9.9.3-P2 to 9.9.4-P2 for CVE-2014-0591

Details
-------
A function in query.c in named in ISC BIND allows remote attackers to cause a denial
of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an
authoritative nameserver that uses the NSEC3 signing feature.

Fix
---
Upgraded BIND named from 9.9.3-P2 to 9.9.4-P2 for CVE-2014-0591.

8
 157650 Outlook Anywhere connections are now correctly counted as using two HTTP
connections, allowing MAPI Admission Control v2 to properly prioritize sessions for
Admission Control actions.
 158787 Fixed an issue where a CX570 or CX770 SteelHead would display errors in the
syslog, such as the following, which do not impact operation and can be ignored:
Feb 10 00:00:39 sv-sh99 hald[7665]: [hald.INFO]: hald_handle_query_request(),
hald_main.c:631, build (null): No handler for bnode /hw/hal/raid/disk/0/disk_wear
Feb 14 11:32:05 sv-sh99 hald[7707]: [hald.NOTICE]: RAID MOD: No need to initialize.
Old model detected.
These warnings have been removed from the CX 570 and CX 770 models, as they do
not use RAID.
 158834 Fixed an issue with Notes Encryption Optimization where the server-side
SteelHead fails to forward traffic to the unencrypted server port. This occurred in the
following conditions:
1) Enhanced Auto-Discover (EAD) disabled
2) Fixed target rules between SteelHead appliances
3) Probe-caching enabled
This can result in the encrypted Notes connections not being optimized. In this case
you see a log message like the following:
[notesencr2sfe.NOTICE] 1 {x.x.x.x:x y.y.y.y:1352} Server is requesting encryption on
port 1352 and therefore cannot be optimized. This connection is passed through.
Note from the log that port 1352 was used even though SteelHead was configured to
send traffic to unencrypted port 1353.
 158916 Added support to allow SCEP signing requests to be validated by the prior
issued and validated certificate. A new CLI command was added to enable this
feature (instead of the default passphrase method)
[no] secure-peering scep signed-renewal enable
The new mode still requires a valid passphrase for initial enrollment.
 159136 Fixed a statistics accounting issue where bytes sent or received were
erroneously accounted multiple times towards a single port.
 159262 Hardware watchdog timed out during lookup of a connection in a corrupted
connection table. The corruption was caused because of lingering closed connections
in the connection table. The fix gracefully removes closed connections from the
connection table thus avoiding corruption.
 159419 Enabled multiple hardware queues for 10G interfaces in order to improve the
performance for QoS marking and Path Selection. This fix works only when QoS
Shaping is disabled.
 159811 Fixed an issue where the domain-health test widgets were not honoring
encrypted LDAP settings on domain controllers resulting in test widget failures.

9
 159861 Enhanced SMB2 packet processor to gracefully handle invalid packets with
incorrect data offsets. Graceful action involves blacklisting and shutting down the
connection on which invalid packets are seen. As a result, crash of optimization
service is prevented.
 160271 Fixed an issue where auto-delegation and password replication policy
features did not honor encrypted LDAP settings on domain controllers.
 160407
New Feature:
The Apache httpd log format can now be configured with the CLI command web
httpd log-format. The Web server banner "Server:" (in the HTTP response header)
can be configured with the CLI command web httpd server-header *. To reset to the
default ("Apache"), use the CLI command no web httpd server-heade.
 160465 Fixed an issue that caused VLAN IDs to be erroneously copied to NetFlow
records.
 161458 Fixed a problem that occurred in the CX555 and CX755 platforms where the
machine would sometime reboot with a machine check exception after encountering
a PCI completion timeout. This error is caused by a network adapter hardware issue.
 161615 Fixed an issue where non-alphanumeric were not allowed in the NTLM
Authentication Domain Health Check password field.
 161827 This fix prevents configuring the SteelHead gateway IP addresses to be the
same as one of the interface IP addresses.
 162292 With the fix, the domain name validation is done prior to performing the
replication test replication to show accurate failure reasons.
 162336 Fixed a rare timing-related issue where the optimization would shut down if
the SSL Secure Peering handshake completes at the same time as an optimized
encrypted Lotus Notes connection is being torn down. After the fix the Lotus Notes
Encryption Optimization blade checks to see if the connection is being terminated
before it processes messages from the SSL Secure Peering blade.
 162343 Fixed a problem where change in in-path interface MTU is not propagated
within the system resulting in the blackholing of packets larger than 1500 bytes when
Path Selection is enabled.
 162404 MX-TCP connections are no longer stalled on a transmission timeout of a
given TCP packet. On transmission timeout, the packet under question is now
correctly retransmitted.
 162443 Replaced the show connections all sort-by protocol command with the show
connections all sort-by application command to match the Web UI when sorting
connections by application.
 162474 Fixed an optimization service crash when an optimized Outlook Anywhere
connection was closed immediately after opening.

10
 162498 This fixes the problem that safety valve stays ON if optimization service is
shut down or restarted within a short period of time after the safety valve is
triggered. This fix makes sure that the safety valve is turned OFF during the shutting
down process of optimization service and the change is notified to the management.
 162513 Fixed an issue where in certain rare cases, the SteelHead could report a
"Needs Attention" status even though the condition that caused it had cleared. The
"Needs Attention" status now clears appropriately.
 162528 Samba password lockout and smbcacls security issue

Details
------
Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce
the password-guessing protection mechanism for all interfaces, which makes it easier
for remote attackers to obtain access via brute-force ChangePasswordUser2 (1)
SAMR or (2) RAP attempts.

Fix
---
The samba package has been updated to address CVE-2013-4496.

Recommendation
-
Upgrade to patched version if applicable.
 162553 Fixed the communication between the ESX Cloud SteelHeads and the Cloud
Portal. The absence of this secondary communication resulted in the appliance not
showing up against the license on the Cloud Portal.
 162543 Fixed an issue where the alarm indicating IPv6 incompatibility between
connection forwarding neighbors does not clear after the neighbors disconnect.
 162658 Modified the CLI RAID commands to correctly identify the type of RAID a
system is using. RAID commands that are not supported are printed on execution of
any RAID CLI commands.
 162723 Fixed a memory leak in the stats gathering subsystem that can result in
paging activity to high alarms on systems that have been running for several months.
 163151 The application and regular expression filters match connections both by
protocol and by application name. Entering TCP, for example, matches connections
that are transported over TCP but whose application names do not explicitly include
TCP.
 163276 The change fixes the handling of empty kerberos request packets on HTTP
connection.
 163298 The memory limit of the QoS process qosd was removed so that it no longer
crashes when its memory usage hits 500 MB.

11
 163324 Added a new alarm in RiOS that is triggered if Path Selection probe responses
arrive at a WAN interface that is different from the WAN interface on which the
probe requests were sent.
 163333 Fixed a problem that caused a segmentation fault in
Citrix::Frame::disassemble. This segmentation fault could only occur when under the
following conditions:
1) Citrix optimization is enabled and Citrix traffic is being optimized.
2) The Citrix traffic is secured with Citrix SecureICA.
 163476 Fixed a leak of file descriptors in the winbindd process that can result in
protocol errors for new Signed SMB or encrypted MAPI connections.
 163505 Fixed a problem that caused the log message "[cli.ERR]: user monitor: No
response from HAL for uses_hardware_wdt" to be printed in the syslog when a non-
admin user logged in. This problem did not prevent the CLI from being used.
 163698 Serious SSL Heartbleed Bug CVE-2014-0160

Details
-------
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly
handle Heartbeat Extension packets, which allows remote attackers to obtain
sensitive information from process memory via crafted packets that trigger a buffer
over-read. See http://heartbleed.com/ for more details.

Fix
---
Upgraded OpenSSL to 1.0.1g to fix CVE-2014-0160 ("Heartbleed" Bug).

Recommendation
-
Upgrade to patched version if applicable.
 163925 Corrected three SMB3 port descriptions on the Monitored Ports
configuration page of the Web UI. The descriptions were corrected for ports 8781,
8782, and 8783 to SMB3, SMB3 Signed, and SMB3 Encrypted, respectively.
 164014 Enhanced error notification to explain that configuring Path Selection
channels on a SteelHead that is not peered with an Interceptor is not required.
 164034 Fixed an issue where optimized bandwidth limits were not enforced on
MxTCP connections.
 164133 Fixed the issue so that SOAP APIs are available again.
 164188 Fixed the httpd settings to prevent the "No slotmem from
mod_heartmonitor" message seen in the httpd logs intermittently.
 164191 Improved the path state detection logic to recognize probe reroutes.

12
 164382 The CX570, CX770, and SMC platforms do not support the CLI command no
remote password. "Operation is not supported in the given platform" is now printed
on the console if executed by the user.
 164384 Fixed an issue where Path Selection information for a connection was not
visible in the UI "Current Connections" report.
 164386 Upgraded OpenSSL to 1.0.1g to address the CVE-2014-0160 to handle
Heartbleed issue.
 164421 Corrected code logic specific to an HTTP HEAD request that was improperly
blocking data.
 164503 Corrected a problem where the order of the incoming data was corrupted
after the client TCP connection was reset. This behavior was leading to an internal
crash; however, no corrupt data was ever sent to the client or server.
 164561 The Web user interface now supports key lengths of 3072 and 4096 for
generating CA certificates. These values provide parity with the command-line
interface, which introduced these key lengths in version 8.6.0.
The key size is no longer allowed to be 512.
 164805 Fixed an issue in the RiOS kernel that could result in a kernel panic while
adding a VLAN tag to an unoptimized packet during path selection.
 164812 The optimization service now closes the MAPI connection if an error
condition is encountered during optimization, allowing Outlook to gracefully recover.
 164827 Original handling of SCEP events was not fully thread safe and there was a
possibility of collisions that would cause this failure. Fixed event handling for SCEP
events to be thread safe and follow safe procedure for interprocess events.
 164837 Fixed an issue that resulted in Windows clients failing to connect to a share
on Windows 2012R1 Server with update KB2934016 installed.
The fix corrects the size of metadata prefetch request issued by the client-side
SteelHead. This size is calculated based on the server's maximum transaction size.
Increasing the maximum transaction size to 8 MB by Windows update KB2934016
exposed a bug in the computation of prefetch request size.
 165027 IIS is sometimes responding with 401 authentication responses while an
HTTP POST request is still sending data. This behavior triggers a connection-level
bypass and, potentially, a crash on the SFE due to a defect in the bypass functionality
introduced in 8.5.0.
 165075 Fixed an issue where the process rgpd would generate errors when it took
too long for the process to terminate.
 165077 Modified the data store configuration file for the CX770L and CX770M
models to change the data store size from 100 GB to 150 GB. Upgrading to image
containing the fix results in a new size change. Note that this resizing operation
cleans the data store.

13
 165090 Corrected code to flush data upon receipt of a connection EOF.
 165212 Fixed an issue related to collectord crash under high disk load.
 165217 Fixed the SteelHead's Client Authentication support feature to allow
bypassing the connection when the ECDHE-RSA cipher suite is chosen.
 165253 The fix prevents the SteelHead from crashing and correctly handles
connections to TCP server port 7840.
 165262 Enhanced the logic that maintains the state for optimized connections in the
RiOS kernel to prevent referencing stale data that may result in a kernel panic.
 165343 Fixed a crash of the SteelHead optimization service when the Server
Certificate Chain Discovery feature is enabled on the server-side SteelHead. The
process crashed due to a NULL pointer dereference. The fix involved introducing
NULL pointer checks.
 165427 Fixed an issue where packets transmitted from the primary interface have an
incorrect source MAC address because they were unintentionally processed by the
Path Selection feature.
 165433 Fixed an issue with SteelHead SaaS that caused a critical log entry:
"[acp.CRIT]: Partial write on /dev/rbtpipe TUN device??? Unexpected!" when a non-
IP packet was encountered. SteelHead SaaS does not process non-IP packets, so
these packets now generate a warning log message, not critical, to alert the user of
potential network misconfiguration.
 165611 In-path interfaces fail to come up after a software upgrade due to a failed
memory allocation.
Fixed the memory allocation failure that caused in-path interfaces to stay offline
after a software upgrade. The failure resulted from the increase in memory usage of
the system during a software upgrade.
 165657 Fixed a problem where automatic emails were sent from 32-bit appliances
indicating "/usr/lib64/sa/sa1" and "/usr/lib64/sa/sa2" were missing. These
commands are used to collect system activity data for debugging and do not impact
normal system operation.
 165671 Fixed an issue where the image fetch command would fail if the disk drive
containing the /var directory was replaced.
 165705 Fixed a memory leak issue that causes high memory usage on the SteelHead.
The issue can result in memory admission control.
 165809 The optimization service would create an optimized MAPI connection for
every TCP connection to a server TCP port 7830 even if the MAPI feature was
disabled. The optimization service would create an optimized NSPI connection for
every TCP connection to a server TCP port 7840.
Those connections receive the corresponding latency optimization when MAPI or
NSPI is enabled.

14
 165828 Fixed an issue where VLAN tags are stripped when the packets go through an
ESX-based Virtual SteelHead. This fix affects both optimized and pass-through traffic.
 166123 CVE-2014-0198: OpenSSL SSL_MODE_RELEASE_BUFFERS denial of service

Details
-------
The do_ssl3_write function OpenSSL 1.x through 1.0.1g, when
SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer
during certain recursive calls, which allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via vectors that trigger an
alert condition.

Fix
---
Applied a patch to OpenSSL used for device management for CVE-2014-0198.

Recommendation
-
Upgrade to patched version if applicable.
 166355 Fixed a kernel crash that may occur because of incoming out-of-order
fragmented TCP packets when the QoS and/or Path Selection feature is enabled.
 166549 When SteelHead encounters an ISATAP IPv6 address in a packet in virtual in-
path deployments, it correctly passes through the packet by routing it.
 166647 This fix decreased the number of syslog messages printed by MAPI
optimization so only one of those messages is logged for each optimized MAPI
connection.
 166967 The service crash following a service restart after a SDR Card failure has been
fixed.
 166977 Fixed an issue that caused sysdump collection to get stuck when TACACS+
per-command authorization is configured. This issue can occur if the admin account
is not authorized by the TACACS+ server to execute the exit command in the CLI.
During sysdump collection the CLI is launched multiple times internally, and if it
cannot exit from the CLI, the collection cannot complete.
 166999 The change triggers an automatic password refresh of the SteelHeads
domain account password.
 167109 Fixed an issue where the optimization service can crash when a MAPI
connection is closed while processing an email with an attachment on that
connection.
 167210 Fixed a memory leak in the DC discovery locator process.

15
 167322 Fixed an issue where optimization can occasionally fail for encrypted MAPI if
encryption starts on a second MAPI protocol context. If Outlook starts encryption on
a secondary protocol context, the optimization service does not attempt to start
decryption this context. If this condition is detected, the remainder of this connection
is passed through and no longer optimized.
 167834 Fixed an issue where packet counts shown on the Current Connections page
were calculated erroneously for the outer connection on the client-side SteelHead
and inner connection on the server-side SteelHead. These packet count values are
now correct in all cases.
This bug was a cosmetic one and did not affect the reduction percentage calculation.
 168159 Upgrade OpenSSL to 1.0.1h/1.0.0m to patch OpenSSL security vulnerabilities
(libraries used by sport )

Details
-------
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not
properly restrict processing of ChangeCipherSpec messages, which allows man-in-
the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-
OpenSSL communications, and consequently hijack sessions or obtain sensitive
information via a crafted TLS handshake, also known as the "CCS Injection"
vulnerability.

Fix
---
Upgraded OpenSSL as used by the SteelHead optimization service process to 1.0.1h
(or 0.9.8za for some older releases using 0.9.8) to fix CVE-2014-0224. Note: This
patch also addresses the following security bugs that DO NOT affect RiOS:
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)

Recommendation
-
Upgrade to patched version if applicable.

16
 168163 CVE-2014-0224: Upgrade OpenSSL to 1.0.1h/1.0.0m patch weak keying MITM
(libraries used by device management)

Details
-------
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not
properly restrict processing of ChangeCipherSpec messages, which allows man-in-
the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-
OpenSSL communications, and consequently hijack sessions or obtain sensitive
information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Fix
---
Upgraded OpenSSL as used by device management to 1.0.1h (or 0.9.8za for some
older releases using 0.9.8) to fix CVE-2014-0224. This patch also addresses the
following security bugs that do not affect RiOS:
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)

Recommendation
-
Upgrade to patched version if applicable
 173569 This fix causes the SteelHead to refresh its folder cache, for certain server
types, even if notifications are missing. To enable the behavior, run the CLI
command protocol cifs ignore-notifies enable on the client-side SteelHead.
 173665 Increased the memory admission control values so that they are adequate to
support the maximum prescribed load for SteelHead models 770L and 770M.
 187833 Fixed a memory leak in the RiOS kernel that may occur in the client-side
SteelHead in rare conditions where a client is opening a very large number of short-
lived connections and the optimized connection setup between SteelHeads fails.
 187862 The Qosd memory leak was fixed and no leaks have been seen with this
release.
 187883 Fixed an issue with the IPv6 packet parsing logic that resulted in IPv6 ICMP
messages getting dropped before they could be processed.
 191370 Fixed an issue where invalid login requests can result in MAPI blacklist
entries. Outlook can send an invalid login request, which results in a MAPI blacklist
entry on the server-side SteelHead. With this change, such a blacklist entry is only
made on the second invalid login request on a MAPI connection. This behavior allows
a recovery and successful login by Outlook on the second attempt.

17
 191372 Fixed the problem where the inbound QoS class for optimized Citrix flows
were mistakenly set to the default class.
 191761 Fixed an issue that results in failure of directory synchronization using
ViceVersa software when CIFS optimization is enabled. Certain find requests on
folder content were not forwarded to the server, causing the client to eventually
close the connection.
 191775 Fixed an issue where the byte count reported by the CLI command show in-
path gre-egress tbl, included the GRE header of each packet that egress GRE tunnels.
 191836 Fixed an issue where the SSL peering trust between SteelHeads would not
establish due to certain SCEP servers rejecting the CSRs generated by SteelHeads.
Open SSL 1.0.1h updated the default mask for encoding the ASN.1 DirectoryString to
use UTF8String, and this has been reverted to PrintableString.
 191977 This fix enhances codec flow control to set its initial window to the
configured WAN buffer size to avoid a potential slow start on high latency links. This
fix also enhances codec flow control to avoid throttling of traffic in some situations
where memory pressure is not imminent.
 192188 Fixed an issue where some optimized connections were not reported in the
connection history. Branch warming connections were not reported in the count of
optimized connections even though they count against the total optimized
connection limit for the SteelHead. With this fix, all connections that count toward
the optimized connection limit are reported in the connection history.
 192199 Fixed a problem that caused a crash in the optimization service when the
Citrix protocol optimization component parsed the start of a Citrix connection. The
stack contained these function calls:
#0 0x... in IcaContext::basic_decrypt(Citrix::ByteBuffer*, bool) ()
#1 0x... in UiDriver::UiDriver(AbstractDriver::DriverHeader const&, BufReader*,
bool*) ()
#2 0x... in AbstractDriver::create_driver(AbstractDriver::DriverHeader const&,
BufReader*, std::basic_string<char, std::char_traits<char>, std::allocator<char> >*) ()
#3 0x... in DriverInitResponse::DriverInitResponse(unsigned char, unsigned short,
bool, BufReader*, bool*) ()
#4 0x... in Citrix::DriverStack::parse() ()
...
The crash happened while parsing Citrix client packet at the start of the connection.
These messages were observed in the system logs immediately before the crash:
... [/citrix/cfe/DriverStack INFO] {<client_ip>:<client_port> <server_ip>:1494|2598}
Parsed driver at index QQ"
 192346 Fixed an issue that caused an error to be reported when noncorrect mode
IPv6 addresses are entered in the delegation lists (delegate-all, delegate-all-except).

18
 192930 Fixed an issue where usernames were not prevented from being created that
started with a hyphen (-) or were longer than 31 characters. While user accounts
with these values were created, they were not valid accounts that could be used for
login.
 193347 CVE-2014-0191, CVE-2013-2877: Libxml2 security update RHSA-2014:0513-1

Details
-------
CVE-2014-0191: It was discovered that libxml2 loaded external parameter entities
even when entity substitution was disabled. A remote attacker able to provide a
specially crafted XML file to an application linked against libxml2 could use this flaw
to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service
or an information leak on the system.
CVE-2013-2877: An out-of-bounds read flaw was found in the way libxml2 detected
the end of an XML file. A remote attacker could provide a specially crafted XML file
that, when processed by an application linked against libxml2, could cause the
application to crash.

Fix
---
Upgraded libxml2 to fix security vulnerabilities CVE-2014-0191 and CVE-2013-2877.

Recommendation
-
Upgrade to patched version if applicable.
 193744 GeoDNS for SH SaaS is used to locate the closest SteelHead against the
destination Exchange-online (Office 365) server. This feature was disabled by default
before RiOS 8.6.2. The feature has now been enabled by default. The feature should
not be disabled under normal circumstances.
 193955 The optimization service no longer crashes when receiving a unexpected
packet fragment while optimizing MAPI connections.
 193992 When an interceptor has been added as neighbor but no cluster channels
have been configured, the stats may be showing direct channel paths instead of
showing relayed. This fix displays a warning in such a case that the displayed paths
may be incorrect.
 194051 Fixed an optimization service crash that can occur when an optimized MAPI
connection opens a second MAPI protocol context, but the connection has previously
encountered an optimization error.
 194193 This fix ensures that optimization service correctly handles encrypted MAPI
connection setup in the service shutdown path.

19
 195020 Upgrade Apache httpd 2.4 to 2.4.10 and 2.2 to 2.2.28 (or 2.2.27 with
patches) for CVE-2014-0117, CVE-2014-0226, CVE-2014-0118, CVE-2014-0231

Details
-------
CVE-2014-0117: mod_proxy: DoS attack against a reverse proxy via a crafted HTTP
Connection header.
CVE-2014-0118: mod_deflate: DoS via highly compressed crafted request message
body.
CVE-2014-0231: mod_cgid: DoS against CGI script due to lack to timeout.
CVE-2014-0226: mod_status: Heap overflow denial of service attack.
Note that RiOS is not impacted by CVE-2014-0226 as it does not include the affected
mod_status module.

Fix
---
Upgraded Apache on RiOS 8.0 and higher to fix multiple denial of service issues.

Recommendation
-
Upgrade to patched version if applicable.
 196061 Three new MAPI Command Line Interface commands are now available. You
can now enable the multi-context feature for MAPI and Outlook Anywhere
connections. You can also enable the multi-auth support for encrypted MAPI
connections. See the SteelHead deployment guide for details.
The commands are:
protocol mapi encrypted multi-auth enable
protocol mapi multi-context enable
protocol mapi outlook-anywhr multi-context enable
 196239 Fixed a problem where a lock was not properly being released in the Citrix
optimization blade. This issue would result in other threads being blocked while
trying to acquire the lock, which would eventually cause the watchdog timer to
detect the threads as unhealthy and temporarily put the optimization service in
bypass.

20
 196534 Upgrade OpenSSL to 1.0.1i, 1.0.0n, and 0.9.8zb for security advisory
"secadv_20140806" (CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 and others)

Details
-------
The OpenSSL security advisory https://www.openssl.org/news/secadv_20140806.txt
identifies several vulnerabilities of which the following impact RiOS:
CVE-2014-3508: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL
0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty
printing is used, does not ensure the presence of \0 characters, which allows context-
dependent attackers to obtain sensitive information from process stack memory by
reading output from X509_name_oneline, X509_name_print_ex, and unspecified
other functions.
CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in
t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading
and session resumption are used, allows remote SSL servers to cause a denial of
service (memory overwrite and client application crash) or possibly have unspecified
other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1
before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by
triggering ClientHello message fragmentation in communication between a client and
server that both support later TLS versions, related to a "protocol downgrade" issue.

Fix
---
OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20140806.

Recommendation
-
Upgrade to patched version if applicable.

21
 197047 Krb5 1.9 security update for CVE-2014-4341, CVE-2014-4342, and CVE-2014-
4344.

Details
-------
This security update addresses the following issues:
CVE-2014-4341: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to
cause a denial of service (buffer over-read and application crash) by injecting invalid
tokens into a GSSAPI application session.
CVE-2014-4342: MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows
remote attackers to cause a denial of service (buffer over-read or NULL pointer
dereference, and application crash) by injecting invalid tokens into a GSSAPI
application session.
CVE-2014-4344: MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows
remote attackers to cause a denial of service (NULL pointer dereference and
application crash) via an empty continuation token at a certain point during a
SPNEGO negotiation.

Fix
---
Krb5 has been patched for CVE-2014-4341, CVE-2014-4342, CVE-2014-4344.

Recommendation
-
Upgrade to patched version if applicable.
 197150 Fixed an issue causing a service restart to become required, even though no
configuration was changed, after a configuration import fails from the Web user
interface.
 197894 Fixed an issue to show IPs specified in the protocol domain-auth delegation
rule dlg-only command show up in the show running config command output.
 198228 Removed the CLI command protocol mapi skip-copy enable. The cached
mode accelerator now behaves as intended without this command.
 200048 When SDR adaptive is enabled (either Legacy or Advanced), use sustained
CPU pressure as an alternate trigger to send resource pressure messages to a peer
SteelHead.
 200281 Fixed an issue that resulted in disruption of client-side optimization service
when basic-dialect was enabled for SMB2 and the client negotiated an invalid SMB2
dialect. The function backtrace shows Smb::NegotiateRequest::~NegotiateRequest
function on the stack.

22
 200367 glibc security update for CVE-2014-5119 and CVE-2014-0475

Details
-------
CVE-2014-5119: Off-by-one error in the GNU C Library (aka glibc) allows context-
dependent attackers to cause a denial of service (crash) or execute arbitrary code via
vectors related to the CHARSET environment variable and gconv transliteration
modules.
CVE-2014-0475: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc
or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand
restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*,
(2) LANG, or other locale environment variable.

Fix
---
Glibc packages updated to fix CVE-2014-5119 and CVE-2014-0475

Recommendation
-
Upgrade to patched version if applicable.
 200449 Fixed a problem that caused an assertion failure when optimizing encrypted
Lotus Notes connections. At the point of crash, the following log message was seen
on the server-side SteelHead:
[assert.CRIT] - {- -} ASSERTION FAILED (lock_->held_by_me()) at
/builddir/build/BUILD/sport-0.1/rbt/iocore/action.cc:50.
The stack trace pointed to an assertion failure in the event system code:
#2 0x0... in assert_failure(char const*, char const*, char const*, int) ()
#3 0x0... assert_failure(char const*, char const*, int) ()
#4 0x0... in ActionInternal::is_cancelled() const ()
#5 0x0... in NetIOChannel::handle_event(EventSource, EventType, void*, void*) ()
#6 0x0... in EventThread::process_pollfds(int) ()
#7 0x0... in EventThread::run() ()
The crash happened because our optimization service was performing read/write
operations on an aborted TCP connection between the server-side SteelHead and the
Lotus Notes server.

23
 200896 CVE-2014-3535: Linux kernel Vxlan NULL pointer deference flaw

Details
-------
CVE-2014-3535: The Linux kernel before 2.6.36 incorrectly uses macros for
netdev_printk and its related logging implementation, which allows remote attackers
to cause a denial of service (NULL pointer dereference and system crash) by sending
invalid packets to a VxLAN interface.

Fix
---
Patched the Linux kernel to fix CVE-2014-3535

Recommendation
-
Upgrade to patched version if applicable.
 201032 Fixed an issue for which multiple pools of connections between Steelheads
could be created depending on the path-selection configuration.
With the fix, the number of connection pools established between Steelheads does
not depend on path-selection configuration anymore.
 201486 Fixed an issue that disallowed the hextets of IPv6 addresses for the Delegate-
Only and Delegate-All-Except lists from having leading zeroes.
 201789 Fixed an issue where the CLI command show usernames returns "No user
accounts found" when used with TACACs per-command authorization.
 202439 Enabling and disabling REST API access now requires Read-Write permission
to the General Settings role.
 202528 Fixed an issue that caused the image fetch to timeout after 5 minutes and fail
with some SSH servers. The timeout occurs with SSH servers configured to prompt
"Password:". For OpenSSH this behavior occurs when the
"ChallengeResponseAuthentication" setting is yes.
 202568 Fixed an issue such that if the user does not have permission to run the stats
restore and stats restore continue CLI commands, they are now properly marked as
permission denied (with a trailing asterisk).
 202700 Fixed an issue that ensures that the ADSI attribute editor no longer throws an
error when SteelHead has joined win2k8-mode (rodc mode).

24
 202825 Fixed an issue that prevented Role Based Management users from changing
their passwords on the WebUI My Account page. Changing their password would fail
with the error message "The current password entered does not match the user's
actual current password". This error would only occur when account control was
enabled, and Minimum Character Difference Between Passwords was set to 0. The
WebUI would not allow users to enter their old password while the system was
incorrectly requiring them to still enter it.
 202898 CVE-2014-6271, CVE-2014-7169: Bash Code Injection Vulnerability via
Specially Crafted Environment Variables

Details
-------
CVE-2014-6271: A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or bypass
environment restrictions to execute shell commands. Certain services and
applications allow remote unauthenticated attackers to provide environment
variables, allowing them to exploit this issue.
CVE-2014-7169: It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use this flaw to
override or bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to provide
environment variables, allowing them to exploit this issue.
Refer to this knowledge base article for detailed information on the impact of this
vulnerability on Riverbed products and services:
https://supportkb.riverbed.com/support/index?page=content&id=S24997

Fix
---
The Bash component was updated in Riverbed products and services to fix the
"ShellShock" vulnerability (CVE-2014-6271, CVE-2014-7169)
As a part of this update, the following related issues were also fixed:
CVE-2014-6277
CVE-2014-6278
CVE-2014-7186
CVE-2014-7187

Recommendation
-
Upgrade to the appropriate patched versions of software as listed in the above KB
article.
 203852 Corrected logic where the line length limit was not properly being applied.

25
 204069 Added missing help text for show authentication and show tcpdump
commands.
 204080 Fixed a problem with Discovery Agent and agent-intercept mode
optimization on long network paths with many hops. Auto-discovery could have
failed (leading to pass-through connections) due to auto-discovery packets not
reaching the client-side SteelHead. The TTL on auto-discovery packets was being
reused from the previous packet on the flow, causing the TTL to reach zero faster
than the actual number of hops the packet traverses.
 204264 To access the Alarm Status page, the Role Based Management (RBM) user
must now have read/write access to the product-specific diagnostic role. On
SteelHead this is Basic Diagnostics. On CMC or SMC it is respectively CMC or SMC
Diagnostics.
 204269
New Feature:
Updated time zone information to 2014h. This includes updated time zones for
Russia that went into effect on October 26th, 2014.
 204870 Enhanced the error message logged when optimization service cannot be
enabled if none of the in-path interfaces has an IPv4 address configured.
 205540 Fixed a problem where uploading of configuration files would sometimes not
replace the configuration on the server if the file already existed. This issue was due
to the functionality that permitted uploading of large files to continue where they
left off if the connection was lost. It would not transfer a file if one of the same size
already existed on the remote server. In the case of configuration files, it is possible
for minor configuration changes to cause the file size to stay the same.

26
 205665 Upgrade to OpenSSL 1.0.1j/1.0.0o to patch OpenSSL security vulnerabilities
(libs used by sport)

Details
-------
The OpenSSL security advisory https://www.openssl.org/news/secadv_20141015.txt
identifies several vulnerabilities of which the following impact RiOS:
CVE-2014-3566: Some client applications (such as browsers) reconnect using a
downgraded protocol to work around interoperability bugs in older servers. This
issue could be exploited by an active man-in-the-middle to downgrade connections
to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0
contains a number of weaknesses including POODLE (CVE-2014-3566).

Fix
---
OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20141015.

Recommendation
-
Upgrade to patched version if applicable.

27
 205667 Upgrade OpenSSL to 1.0.1j for security advisory "secadv_20141015": CVE-
2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568

Details
-------
This update addresses the following issues:
CVE-2014-3566 (POODLE attack): The SSL protocol 3.0, as used in OpenSSL through
1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.
CVE-2014-3567 (Session ticket memory leak): A flaw in the session ticket integrity
check mechanism allows an attacker to cause a denial of service attack by sending a
large number of invalid session tickets.
CVE-2014-3568 (Incomplete no-ssl3 build option): When OpenSSL is configured with
"no-ssl3" as a build option, the option was effectively ignored, and SSL 3.0 was still
allowed.

Fix
---
OpenSSL has been updated to address CVE-2014-3566, CVE-2014-3567 and CVE-
2014-3568. This update also includes a fix for CVE-2014-3513, though RiOS is not
impacted by it.

Recommendation
-
Upgrade to patched version if applicable.
 205746 In a SteelHead that has more than 500 optimized connections, a memory
leak may happen in the process mgmtd when loading the current connection report.
This memory leak issue has been resolved in this bug.
 205927 CVE-2014-3660: libxml2: denial of service via recursive entity expansion

Details
-------
Libxml2 before 2.9.2 does not properly prevent entity expansion even when entity
substitution has been disabled, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted XML document containing a large
number of nested entity references, a variant of the "billion laughs" attack.

Fix
---
Upgraded libxml2 package to address CVE-2014-3660.

Recommendation
-
Upgrade to patched version if applicable.

28
  217618 Fixed the issue where probes from the parent SteelHead were never path-
selected and hence not encrypted through Secure Transport. This behavior was
intentional by Path Selection's design for satisfying the use case of a typical middle
SteelHead in a deployment. Since this fix is not available in 9.0.0, Secure Transport
Concentrator mode is not available in this release. This functionality is controlled by a
CLI command, but a hybrid network’s push from the SCC enables this configuration
automatically.
 220361 Fixed a problem for customers entering IBM Domino server id files for
Domino servers that contain an ampersand (&) in their names. Without this fix, the
customer would experience the following symptoms:
1) For Domino servers with names containing XML special characters and whose
server IDs were entered in the SteelHead Lotus Notes optimization configuration, the
listing of the server in the Encryption Optimized Servers would not contain characters
past and including the special character. For instance, if a Domino server had the
following name (note the '&' XML special character in the OU):
CN=my_server/OU=&eng/O=Riverbed
The display would only show:
CN=my_server/OU=
2) Also, when a Notes connection was intercepted by the SteelHead whose server
name contained an XML special character, the server id entered by the customer was
not recognized, resulting in the server being placed in the unoptimized IP address list.
Connections for this server would be optimized as NOTES but not as NOTES-
ENCRYPT.
For reference, the XML special characters that would impact this are:
&
<
>
'
"""

4) KNOWN ISSUES
 123809 Cloud Portal does not disassociate a license from Cloud SteelHead when the
command to release is performed only on the SteelHead Remove License or no
license client init operation performed on a Cloud SteelHead does not release the
license on the portal.
To do so on the Cloud Portal navigate to the Appliances tab; click the appliance from
which the license needs to be reclaimed; and click Reclaim License from Appliance.
This fix makes the license available for use again on the Cloud Portal.
 154426 In very rare circumstances, the optimization service aborts due to an infinite
loop when processing CIFS reads.

29
 164780 For customers who use Path Selection, Quality of Service, NetFlow DPI, or
Application Visibility, SMB2 connections may be reported as CIFS on the Current
Connections report. There is not yet a workaround for customers who use any of
these four features. The issue is to be fixed in version 9.0.1.
 187856 Path Selection does not work for in-path interfaces on which the
optimization service has been disabled. After the optimization service on an in-path
interface has been disabled, reboot or power cycle the appliance.
 195507 A SteelHead is not reachable for Path Selection from remote peers if its
optimization service is disabled.
 195691 Under certain conditions, TCP acknowledgement is not sent during
connection kickoff.
 197021 The SteelHead periodically fails to send NetFlow messages to the collector
under rare conditions of heavy load.
Following error message in the syslog is a symptom of this issue: "unable to send flow
packet: [11]: Resource temporarily unavailable" Increase the UDP socket buffer size
available for NetFlow exports.
 198015 The SteelHead cannot be managed by the SteelCentral Controller for
SteelHead (versions 9.0.0 and above) when requisite management channels are not
established. "SCC versions 9.0.0 and above require two channels to the appliance: an
SSH channel and an HTTPS channel. The status of these channels can be viewed on
the SteelHead terminal with the command show scc.
A sample output of this command is shown below:
amnesiac > show scc
Auto-registration: Enabled
HTTPS connection (to the CMC):
Status: Connected
Hostname:bravo-sh378
SSH connection (from the CMC):
Status: Connected
Hostname: bravo-sh378 (10.5.39.87)
When the host for the HTTPs and SSH connection is different or both the channels do
not have "Connected" status, the appliance cannot be fully managed by the SCC. In
order to connect a SteelHead to the SCC, you can use the command scc hostname
<hostname> in configure mode to establish the connections. If both connections
show "Connected" to two different SCCs, remove the appliance from the Manage ->
Appliances page on the SCC that is incorrect and update the appliance username and
password on the correct SCC.
If the SCC hostname was never configured on the appliance, the appliance
tries to connect to the host riverbedcmc. Make sure to update your DNS to
point the hostname riverbedcmc to the correct SCC which is managing the
Appliance.

30
 199317 QoS and DPI reporting on the Profiler will not function with data collected
from SteelHeads running RiOS 9.0. No workaround is available at this time. Report
functionality will be restored with a future SteelHead release.
 200056 In a very rare case when flow collectors are configured and the primary
interface's IP address is changed during appliance boot-up, a lot of error messages of
"[netflow.ERR] - {- -} uninitialized socket error in send" could be seen in the syslog. If
a lot of error messages "[netflow.ERR] - {- -} uninitialized socket error in send" are
seen in the syslog, removing and readding the flow collectors can resolve the issue.
 204223 During the initial boot process, customers might see an error log from
stp_client about not being able to retrieve site ID from appflow service. The secure
transport client service(stp_client) is designed to retry on such failures. These are
innocuous log messages and can be ignored as long as stp_client service is successful
in retrieving the site ID from appflow on a subsequent retry.
 204386 A warning message is displayed in the logs about MSPEC licenses expiring
during Virtual SteelHead startup. The warning is invalid and can be ignored.
 217580 Excessive memory consumption can be experienced when configuring about
200 topology sites. This behavior can lead to high swapping activity and system
slowdown on low-end SteelHead models (1050M). Disable Inbound and Outbound
QoS before configuring the sites. Enable QoS again after all the sites have been
configured.
 217732 During appliance boot-up, as various services are starting in the appliance,
sometimes a user cannot log in and sees a message saying, "Unable to sign in: Failed
obtaining authorization data for user." Wait a few moments, and try again.
 219862 SteelHeads with CCX licenses in Azure and ESX show incorrect license
parameters on UI SteelHeads with CCX licenses in Azure, and ESX displays incorrect
license parameter values on the Licenses page. Do not refer to the bandwidth and
connection limit numbers displayed there. Refer to the published official model specs
document instead.
 220172 After upgrading and restarting an appliance that uses TACACS authentication,
the Web user interface may be unavailable for a few minutes. It appears available but
indicates that authentication failed. Retry the login after 2 minutes.
 221213 With the 9.0.0 release sysdumps are known to take more time than in
previous releases. This is caused by more information being collected to help
improve effectiveness of the data in troubleshooting issues along with new feature
data being gathered. There is no workaround.
 221755 With secure transport enabled, Control channel connection towards
'stp.controller' is in "CONNECTION_FAILED" state on SteelHead and a crash from
yarder_core process on function ConnectionMgmt._establish_websocket_connection
is observed in logs.
The workaround is to restart yarder_core process. CLI Command for the same, # pm
process yarder_core restart

31
5) UPGRADING THE RIOS SOFTWARE VERSION
UPGRADING ALERT
 Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to
9.0.0 and later, existing path selection rules are not automatically migrated. Please
refer to Knowledge Base article S25533 for details.
 QoS: RiOS version 9.0.0 and later uses a completely new QoS management and
syntax compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base
article S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead Appliance Installation and Configuration Guide for information on
upgrading the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see
the Virtual SteelHead Appliance Installation Guide. If running Cloud SteelHeads, see the
Riverbed Cloud Services User's Guide.

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC)

COMPATIBILITY
SCC was formally known as Central Management Console (CMC). Review the SteelHead
Appliance Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES

Review the SteelHead Appliance Installation and Configuration Guide for information on
hardware and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead
Appliance Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services
User's Guide.

32
8) CONTACTING RIVERBED SUPPORT
Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.
Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415-247-7381.
Online
You can also submit a support case online
Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.

©2015 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

33