RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX
RELEASE DATE: 31-OCTOBER-2017
VERSION: 9.2.3

CONTENTS
1) Supported Steelhead Models
2) New Features in RiOs 9.2.0
3) Fixed Problems
4) Known Issues
5) Upgrading the RiOs Software Version
6) SteelCentral Controller for SteelHead (SCC) Compatibility
7) Hardware and Software Dependencies
8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS

Important: RiOS 9.2.3 supports Riverbed CX models xx55, and xx70.

2) NEW FEATURES IN RIOS 9.2.0

Hostname-Based Interception Policy
Logical Groups of Domain Names and Hostnames in In-Path Rules
In-path rules recognize and process logical groups of domain names and hostnames using a
single label that resolves to several IP addresses. This ability to group domain names and
hostnames simplifies in-path rule management. One in-path rule replaces many. You can
specify an Internet domain with wildcards to define a wider group. For example, a domain
label called Office365 can be configured to match *.microsoftonline.com, *.office365.com,
or *.office.com in a single in-path rule.

A single rule can target a specific service such as SharePoint—even when the same IP
address serves content for both SharePoint and Lync.
You can also use host labels to populate the in-path destination with a set of IP addresses
and subnets to the service.

Hybrid Networking
Performance and Scale Improvements
You can define up to 500 sites for increased scale and configuration responsiveness. QoS,
path selection, and secure transport can now handle up to 25 percent more optimized
connections per second without classification errors.
Uplink Probe Enhancements
The uplink probing techniques have been improved to:
 leverage the SteelHead’s traffic awareness to accelerate probing to sites that are seeing
traffic, while backing off probing for sites that are not seeing traffic. If an uplink isn’t
currently in use, it isn’t probed.
 avoid redundancy by probing only a subset of peers instead of probing all peers. For
example, if there are four peers on a path that is up and actively seeing traffic, the probe
monitors two peers instead of four. Also, the probes monitor only the uplinks referenced
in a path selection rule. Subset probing is helpful with secure uplinks where both secure
and nonsecure uplinks are created but aren’t referenced by a path selection rule.
 avoid redundancy by probing only a subset of peers instead of probing all peers. For
example, if there are four peers on a path that is up and actively seeing traffic, the probe
monitors two peers instead of four. Also, the probes monitor only the uplinks referenced
in a path selection rule. Subset probing is helpful with secure uplinks where both secure
and nonsecure uplinks are created but aren’t referenced by a path selection rule.
Path Selection Support for Transit Site Traffic
Transit traffic is traffic that is not sourced or destined locally. For example, in a hub-and-
spoke configuration with a static VPN setup, the SteelHead does not recognize traffic as
being initiated by an external site and applies path selection rules for LAN-side traffic. The
transit site path selection rules route return traffic outside the VPN tunnel, causing the
firewall to drop packets. A new CLI command, path-selection-transit-bypass, pushes general
path selection rules but selectively turns off path selection for transit site traffic. RiOS
identifies transit traffic by checking subnets to determine whether the traffic is sourced or
destined locally. This feature maintains the original path selection intent, including failure
conditions, even when the traffic is routed through a transit site.
Path Selection with Interceptor (PSIC) Automatic Channel Configuration
To communicate efficiently, PSIC requires cluster channels between the SteelHead and
SteelHead Interceptor appliances. Cluster channels are traditionally configured on the
SteelHead. You can enable the PSIC automatic channel configuration feature using the

2
SteelCentral Controller (SCC) to configure the cluster channels and then push the
configuration to the appliances. No additional configuration tasks are required .

Web Proxy
Virtual In-Path Deployment
You can now use the Web proxy with virtual in-path deployments such as Web Cache
Communication Protocol (WCCP) and policy-based routing (PBR).
Caching Enhancements:
 The cache content is persistent after reboots and service restarts.
 The individual object size limitation has been removed.
 An expanded cache storage space. The CX 555 and CX 755 models can use up to 50 GB
of cache space for Web Proxy storage.
Host Label and Domain Label Integration with Web Proxy
You can use host labels and domain labels to define more granular traffic with the Web proxy
service.
Additional Log Formats Support
An expanded request logging format improves visibility, debugging, and diagnostics.

Applications
SMB 3.1.1 Optimization
This feature includes Server Message Block (SMB) v3.1.1 dialect support when enabling
SMBv3 on a SteelHead. SMBv3.1.1 was introduced by Microsoft in Windows 10 and Windows
2016. SMB v3.1.1 is only negotiated when systems of these operating system versions are
directly connected. RiOS 9.2 supports SMB file sharing as well as Windows domain
integration.
Windows 10 and Windows 2016 SMB Support
RiOS supports SMB file sharing as well as Windows domain integration for Windows 10 and
Windows Server 2016 Technical Preview 2.
SMB Latency Optimization Support for MAC OS X 10.9 and 10.10 Client
RiOS provides SMBv2 and SMBv3 latency optimization support for Mac OS X clients.
Full MAPI over HTTP Optimization
RiOS includes application-level latency optimization for MAPI over HTTP in addition to the
bandwidth optimization introduced in RiOS 9.1. This feature accelerates and reduces the
data consumption across Microsoft Outlook and supports both cached exchange and online
modes.

3
 Expanded Exchange Server 2016 and Outlook 2016 Qualifications
SSL
TLS 1.2 Support
Transport Layer Security (TLS) 1.2 is enabled by default and upon upgrade for client-side and
server-side SteelHeads for improved security.
OpenSSL 1.0.2 Support
The SteelHead support for the SSL protocol stack is based on OpenSSL 1.0.2. This version
includes support for camillia ciphers, krb5 ciphers, and ECDHE cipher negotiation.
SafeNet Hardware Security Module (HSM) Support for SSL Certificates
You can store proxy private keys and certificates on SafeNet Luna HSM devices for SSL
optimization.
SHA2 Support for Proxy Certificate
The SteelHead uses SHA-512 for proxy certificate signature hash.
Subject Alternative Name (SAN) with SSL Proxy Certificate
Includes Subject Alternative Name field checking when the SteelHead returns a proxy
certificate.

Platforms
SteelHead (Virtual Edition) KVM Image
You can deploy a SteelHead (virtual edition) using a kernel-based virtual machine (KVM)
image format. A KVM consists of a loadable kernel module that provides the core
virtualization infrastructure and a processor-specific module that provides virtualization
extensions running on a Linux kernel as a host. The support includes models up to and
including VCX 1555H and requires no licensing changes.
New Microsoft Azure-Based Larger CCX Models
An Azure cloud CCX-SUB-PERF-TIER4 license can optimize Azure workloads up to 400 Mbps to
Cloud IaaS while supporting a connection count of up to 30,000 connections per SteelHead.
The SteelHead-c CCX runs as a virtual machine hosted in Azure infrastructure services.

3) FIXED PROBLEMS
CVE bugs fixed in version 9.2.3
For additional details, refer to the Security Finder
 255600 CVE-2013-0292: dbus-glib: Local privilege escalation due improper filtering of
message sender when NameOwnerChanged signal received

4
 255727 Several vulnerabilities in the krb5 RPM, as used by various base operating
system programs.
 255736 RedHat Security Advisory RHSA-2014:1436-2 for X11 libraries
 256008 CVE-2013-4312 - Kernel may allow an attacker to consume all file descriptors.
 257104 CVE-2011-2939, CVE-2011-3597: perl vulnerabilities (Unicode memory
corruption and Digest attack).
 257219 CVE-2013-1813: busybox may create directories with 0777 permissions.
 257222 CVE-2012-0862: xinetd is vulnerable to attacks through tcpmux service.
 257225 CVE-2011-1201, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, CVE-2012-
2871: multiple vulnerabilities in libxslt.
 257228 CVE-2011-5321, CVE-2015-1593, CVE-2015-2830, CVE-2015-2922, CVE-2015-
3636: multiple vulnerabilities in dracut.
 257235 CVE-2012-5669: freetype has a vulnerability due to out of bounds read.
 257237 CVE-2013-4288: polkit has a race condition vulnerability.
 257239 CVE-2014-3634: rsyslog remote denial of service with crafted priority value.
 257240 CVE-2013-4449: openldap improper reference counting vulnerability.
 271582 CVE-2012-2137: Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem
in the Linux kernel.
 271586 CVE-2014-3688: The SCTP implementation in the Linux kernel before 3.17.4
allows remote attackers to cause a denial of service (memory consumption) by
triggering a large number of chunks in an association's output queue
 271587 CVE-2014-3673: The SCTP implementation in the Linux kernel through 3.17.2
allows remote attackers to cause a denial of service (system crash) via a malformed
ASCONF chunk
 275727 OpenSSH < 7.4 is vulnerable to CVE-2016-10012, relating to pre-authentication
compression.
 276185 When the caching DNS server is enabled, it is vulnerable to CVE-2016-9131,
CVE-2016-9147, CVE-2016-9444 denial of service attacks (assertion failure).
 281445 CVE-2017-6508: CRLF injection vulnerability in the url_parse function in url.c in
Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF
sequences in the host subcomponent of a URL.
 283795 CVE-2017-5461: An out-of-bounds write flaw was found in the way NSS
performed certain Base64-decoding operations.
 284444 CVE-2017-8779: rpcbind through 0.2.4 and LIBTIRPC through 1.0.1 and 1.0.2-rc
through 1.0.2-rc3 do not consider the maximum RPC data size during memory allocation
for XDR strings.

5
 284865 CVE-2017-1000368: Todd Miller's sudo version 1.8.20p1 and earlier is
vulnerable to an input validation (embedded newlines) in the get_process_ttyname()
function.
 285827 CVE-2017-1000366: glibc contains a vulnerability that allows specially crafted
LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias,
potentially resulting in arbitrary code execution.
 286184 CVE-2017-7502: A null pointer dereference flaw was found in the way NSS
handles empty SSLv2 messages.
 286185 CVE-2017-3143, CVE-2017-3142: vulnerabilities in BIND handling of TSIG
authentication for dynamic updates.
 286625 Apache httpd less than 2.4.27 has vulnerabilities CVE-2017-9788 and CVE-2017-
9789.
 287227 tcpdump before 4.9.2 has various security vulnerabilities, mostly in print
functions.
 287295 CVE-2015-1379: The signal handler implementations in socat before 1.7.3.0 and
2.0.0-b8 allow remote attackers to cause a denial of service (process freeze or crash).
 287342 CVE-2017-10989: The getNodeSize function in ext/rtree/rtree.c in SQLite
through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs
in a crafted database, leading to a heap-based buffer over-read.
CVE bugs fixed in version 9.2.2
For additional details, refer to the Security Finder
 254499 CVE-2016-1285 and CVE-2016-1286 [BIND]: The BIND nameserver, used for the
caching DNS feature, has vulnerabilities that can lead to a denial of service.
 254773 OpenSSH before 7.2p2 has an X11 forwarding vulnerability CVE-2016-3115 (X11
forwarding is always off, so this vulnerability cannot be enabled on the appliances)
 257224 CVE-2014-9636: unzip out-of-bounds allows remote attackers to cause
read/write/crash in test_compr_eb() in extract.c
 261181 NTP vulnerabilities described at
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_S
ecuri
 265375 OpenSSH before 7.3 has the following vulnerabilities, described in
http://www.openssh.com/txt/release-7.3: CVE-2016-6515, CVE-2016-6210, and CVE-
2015-8325.
 265608 Multiple denial of service attacks involving crafted XML files may cause the
libxml2 software library to crash.
 265609 Security update to "file" binary for several vulnerabilities related to high CPU
consumption, a crash, or disclosure of memory contents.
 269724 CVE-2016-2776: Potential BIND denial-of-service attack.

6
 270444 CVE-2016-5195: Linux kernel copy-on-write (COW) results in local privilege
escalation.
 270610 CVE-2016-5364, CVE-2015-5366: Linux kernel UDP denial of service
vulnerabilities.
 271325 curl .47.1 has various vulnerabilities as described at
https://curl.haxx.se/docs/security.html .
 271337 CVE-2016-8864: Caching DNS server, if enabled (not enabled by default), is
vulnerable to denial of service attack.
 272744 CVE-2016-6313: A design flaw was found in the libgcrypt PRNG (Pseudo-Random
Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output
can predict the following 20 bytes.
 273275 CVE-2016-7431: ntpd has a remote denial of service vulnerability. CVE-2016-
7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7433, CVE-2016-7434,
CVE-2016-9310, CVE-2016-9312 are not applicable or are a low security risk.
 275711 OpenSSH before 7.4 has security vulnerabilities: CVE-2016-10009, CVE-2016-
10010, CVE-2016-10011, and CVE-2016-10012.
 276808 CVE-2016-6321: GNU tar vulnerability
 276957 CVE-2017-3731, CVE-2017-3732, CVE-2016-7055: OpenSSL vulnerabilities.
 278494 CVE-2015-8126, CVE-2015-8472, CVE-2015-7981: libpng vulnerabilities.
 278495 CVE-2016-7032, CVE-2016-7076: sudo vulnerability.
 278496 CVE-2016-1248: vim vulnerability
 278513 CVE-2016-2776, CVE-2016-2848, CVE-2016-9147, CVE-2016-8864: Denial of
service flaws found in BIND.
 281444 NTP before 4.2.8p10 has multiple security vulnerabilities: CVE-2017-6451, CVE-
2017-6452, CVE-2017-6462 to CVE-2017-6464, CVE-2017-6455, CVE-2017-6458 to CVE-
2017-6460, and CVE-2016-9042.
 282374 Multiple security vulnerabilities in bash CVE-2016-0634, CVE-2016-7543, and
CVE-2016-9401.
 282376 A race condition was found in the way su handles the management of child
processes. A local authenticated attacker could use this flaw to kill other processes with
root privileges under specific conditions (CVE-2017-2616).
 282380 Multiple security vulnerabilities in glibc CVE-2014-9761, CVE-2015-8776, CVE-
2015-8778, and CVE-2015-8779.

7
Problems fixed in version 9.2.3
 203889 Fixed an issue for the following cases where the filename length is incorrect:
- SetInfo request.
- Notify Response.
- class FILE_ALL_INFO in GetInfo response.
The SteelHead identifies the invalid filename length and blacklists the connection in all
cases listed above.
 217860 Fixed an issue where BMC's event list may be tagged by two different time
zones depends on when the events occur.
BMC refers to the hardware clock, which has the UTC time zone. Linux updates the time
of BMC by using the utility ipmitool (without really changing the content of the
hardware clock). If Linux halts or reboots, BMC will go back to the UTC time.
We fixed this problem by updating the hardware clock to have the operating system's
time zone every midnight or whenever the OS halts or reboots. With this fix, the time
zone of BMC and OS should be synchronized at all time.
However, when another release image that does not have this fix is used. The out-of-
sync issue will reoccur.
 236824 Fixed an issue where the SteelHead might log "Connection reset by peer" error
message when connection between SteelHead and SteelCentral Controller is
interrupted.
 237176 The fix is to avoid creating object for steelhead in "CN=Servers,CN=<site-
name>,CN=Sites,CN=Configuration,DC=<domain>"" object during domain join/rejoin.
In case of upgrade, the following command is required to be executed to overcome the
issue. "protocol domain-auth auto-conf win2k8-mode op-type leave adminuser <admin-
user> adminpass <admin-password>""
 248311 Fixed an issue where errors are the result of the TLS "Extended Master Secret"
capability being added per Microsoft KB 1031320 (https://support.microsoft.com/en-
us/kb/3081320). Support for TLS extended master secret has been added to the system.
 249787 Fixed an issue where QoS upgrade and migration errors occurred after
upgrading from 8.6.1b to 9.1.1. There was no implementation to remove the migration
errors from the SteelHead UI. This has been corrected through the fix for this bug. Now,
the error can be removed either from the CLI or from the SteelHead UI.
The CLI command to remove the error is:
no qos migration-error
Once removed, it can be verified through the following CLI command:
show qos migration-error
The error can be even removed from the SteelHead UI by choosing Networking > Quality
of Service.
The error appears and can be removed by selecting the Clear Errors option.
 252047 Fixed an issue where logging in to the BMC would fail due to some of the IPMI
cipher types getting disabled due to an earlier fix. We have restored all IPMI cipher
types except the zero cipher type for logging in to the BMC.

8
 253126 Fixed an issue where optimization reports could show unusually high values that
didn't match the actual traffic.
 256125 Fixed an issue where crashes occurred at NetportManager. A memory
corruption occurred in the critical section due to lack of synchronization. The scope of
the critical section has been increased to addresses this issue.
 264916 Fixed the issue by improving error handling for the SteelHead and attempting to
clean up all pending events before trying to shut down a connection during a blacklisting
event.
 267325 There are 2 reporting paths:
smartctl -A <dev> # smart.txt
/opt/tms/bin/rvbd_super -g <dev> # hardwareinfo.txt
when available, smartctl is used to generate alarm
hardwareinfo.txt now reports either smartctl or rvbd_super wear computation, so value
matches alarm trigger
 269218 Fixed an issue in the SMB2 protocol implementation on SteelHead that could
cause the appliance to fail with a crash dump. The fix acquires a lock to perform a find
operation under certain conditions.
 270307 Fixed an issue where crashes occurred at NetPortManager. A memory
corruption has happened in the critical section due to lack of synchronization. The scope
of the Critical Section has been increased to address this issue.
 275085 Fixed an issue where Kerberos credential replication of the trusted domain fails
when there is a realm trust in the trusted domain list. The fix is to skip the realm-trust
entry in the trusted domain list.

9
 275859 Fixed two issues where optimized connections via STP fail when OOB
Transparency set to correct addressing.
OOB connection is not path selected in same way as inner connections:
o When a new client-server connection is path selected the same path-selection rules
applies to the inner connections even though the IPs of inner connections are not part
of the path selection rule.
o This is not true for OOB. If OOB’s IP address is not matched to any path selection rule
it is relayed.
o If OOB is forming b/w inpath0_0 of CFE and inpath1_0 of SFE. There is no routing b/w
them hence OOB connection is not established.
o Ideally the OOB is path-selected in same way as inner connections.
o The fix for this issue is to set the same path information for OOB as it is for client-
server connection.
Path selection information is lost in multi-path scenario:
o On SFE all the packets destined to the WAN are first leaving through lan1_0 and then
entering SFE again through lan0_0. This is because of the routes set on SFE.
o In current path selection solution, the path information is stored in the inner
connection’s socket. But when the packet reenters the SFE it does not reach the TCP
layer because this packet is not meant for SFE. This means the SKB does not have the
socket information and the path information is lost.
o Because of above reasoning the packets of inner connections gets relayed. In
customer scenario, they are going via an MPLS link instead of an internet link.
o To fix this issue the system preserves the socket information when packet is
ricocheted.
 275896 Fixed an issue with Web proxy file download failures due to slow Internet or a
large file. The Web proxy no longer restricts client transactions to less than 15 minutes.
 277167 Fixed an issue where the SteelHead Outlook Anywhere optimization component
caused SteelHead optimization services to fail. The fix gracefully terminates the
connection rather than crashing the appliance.
The following characteristic log messages will be seen for a customer experiencing this
issue:
...
Jan 19 07:29:52 Steelhead sport[32111]: [rpch/mapi/0/csh.NOTICE] 45429661
{A.A.A.A:54460 B.B.B.B:54468} Got server EOF. Destroying accelerator
Jan 19 07:29:52 Steelhead sport[32111]: [rpch/mapi.ERR] 45429661 {A.A.A.A:54460
B.B.B.B:54468} consume() unknown packet type: MSRPC_REQ for ResponseFromChain
...

10
 277255 Fixed an issue where path monitoring of an uplink doesn't start and uplink
tracks remain in a Never Reached state. The problem of uplink not coming up was due
to path-selection rule not matching. This issue was fixed so that a check for the extra " in
the input string is done when it is passed to QoSd for parsing and keeping in its own
internal data structure. If the extra " are present, then these extra attributes are not
stored.
In addition, a fix for custom-names not matching for SSL traffic in 9.1.3 and 9.2.1 has
been provided. If a rule is configured with a custom SSL application having a common
name in it and if the traffic also has a common name, then it matches in 9.1.3 whereas it
doesn't match in 9.2.1. A global flag has been set to true if path selection rules have
application/application group with L7 as SSL and a common-name attribute in it.
 278834 Fixed an issue where application matching on SSL and common name does not
match corresponding connections. Value of the maximum packet sent to DPI was earlier
set to 5(by default) within which the packet containing SSL name was not sent to DPI for
classification and hence the common name was not returned.
We have added a CLI to set the maximum number of packets to be sent to DPI for
classification, so that for SSL connection, value can be set to around 10.
 279512 Fixed an issue where, in rare cases, when an error has occurred in a MAPI/HTTP
transaction and the MAPI/HTTP session is using more than one connection, the
optimization services may crash during the cleanup of the MAPI/HTTP session. This fix
ensures that during session clean up, only the connection that instantiated the error
does the cleanup.
 280104 Fixed an issue were large amounts of data are transferred in an Outlook
Anywhere session, typically one that has been open for a long time (rarely), the
optimization services may crash with the log message: "[rpch/VC.NOTICE] ... but
successor cookies do not match!". After a sufficient amount of information is
transferred in an Outlook Anywhere session, the connection will be refreshed. In the fix,
the optimization services now uses the updated connections.
 280485 Fixed an issue where the use of the domain label feature could cause a kernel
crash on a 32-bit system in certain circumstances. With this fix, the resource usage of
the domain label feature in in-path rules was reduced to prevent a kernel crash due to
stack overflow.
 282090 Fixed an issue where the domain join operation failed with an "invalid
character" error if the NETBIOS name contained an ampersand (&). An ampersand (&) is
now allowed in the NetBIOS name.
 282102 Fixed an issue where, in rare cases, if Exchange Port Mapping service receives
invalid MAPI protocol, it may lead to a crash in the optimization services. In this fix,
updated the EPM service to handle invalid MAPI packets, with a zero fragment lengths.
 282714 Enhancement: Added CLI command "reset factory preserve-licenses" to
preserve licenses when issuing a factory reset.

11
 283556 Fixed an issue where a regression caused the bypass NIC to always fail-to-bypass
and never fail-to-block, irrespective of the desired configuration. This fix restored the
bypass NIC configuration so that the configuration dictates whether to fail-to-block or
fail-to-bypass.
 283613 Fixed an issue where QoS marking was no longer working after upgrading to
9.2.1d. This fix increases the socket buffer size to handle longer messages up to a length
of 65536 bytes.
 283688 Fixed a memory issue caused by accumulated FOIs by removing the reference
from the read ahead engine for a chained (create, read, and close) request after
processing a close response.
 284204 Fixed the SCSI device discovery code so that a flip-flop in the device's presence
status is handled correctly and does not lead to appliance reboot.
 284221 Fixed a problem where the optimization service would crash when either MAPI
or HTTP is enabled. Two threads could get blocked indefinitely while each is waiting to
acquire a mutex already held by the other thread. The fix involved releasing the first
mutex held by one of the threads before attempting to acquire the second mutex.
 284326 Processing of a failed SMB create response may lead to a SteelHead crash
because the failed create response does not contain a file id (FID). The create response
packet validation check tries to get the FID from the failed create response and leads to
the crash. The fix is not to fetch the FID when the create response fails.
 284361 Fixed an issue where QoSd kept crashing after upgrading to 9.6.0a. During the
custom applications attribute checking via the bitmap we were trying
to access the elements of app2id array beyond its limit. In C/C++ accessing the array
beyond the size results in undefined behavior which resulted in this issue. This has been
addressed through this fix.
 285118 Fixed a race condition between a connection close and the scheduling of a MAPI
over HTTP Disconnect request on that same connection leading to a crash. This crash
can be identified in the log of a backtrace through the checkFlushingKey function.
 285165 Fixed an issue where Steelhead GUI pages are not loading if Steelhead is
accessed via IPv6 address.
 286831 Please see:
https://supportkb.riverbed.com/support/index?page=content&id=S30932
Problems fixed in version 9.2.2
 120109 When using RADIUS authentication, if the server sends an access-accept
message with multiple Vendor Specific Attributes (VSA), the Riverbed "local-user" VSA
must be first. Otherwise, the requested user mapping will not be honored.

12
 162024 Fixed an issue where error messages occur in the log when viewing bypass table
entries for servers with a domain name longer than 64 characters. The optimization
service is unaffected, however this condition could lead to an unresponsive CLI.
With this fix, bypass table descriptions are still truncated. However, the error message
has been resolved and no longer leads to an unresponsive CLI.
 193466 Fixed an issue that triggered a high CPU alarm and could cause a possible link
drop during a SteelCentral Controller (SCC) policy push. Fix improves efficiency of the
code that is responsible for configuring certificate updates on the SteelHead.
 195298 Fixed an issue that caused a SteelHead to crash when duplicate File IDs (fid) are
returned by the server for different open/create requests.
 247279 Fixed an issue where HTTP 1.1 web apps using chunked transfer-encoding were
sending very large numbers of small chunks, which can cause high CPU utilization. In
extreme cases, the high CPU condition caused by long chains of small chunks can cause
a watchdog timeout, stack trace, and pause optimization. With this fix, the Outlook
Anywhere services combine the small chunks into one larger chunk.
 255234 Fixed an issue where TLSv1.0 in HTTPS access might be vulnerable to CVE-2011-
3389 ("BEAST" attack involving weak CBC modes).
For newly installed appliances, the default settings for the web interface allow only
TLSv1.1 and TLSv1.2 for HTTPS access (i.e. TLSv1.0 is now disabled by default instead of
enabled as in previous versions). This setting is to reduce the vulnerability to CVE-2011-
3389 ("BEAST" attack involving weak CBC modes).
The web settings for existing appliances are NOT changed on upgrade. To disable
TLSv1.0, use "no web ssl protocol tlsv1" from the command line.
 256887 Fixed an issue where VLAN tagged packets from different connections were
always hashed into a single Shared Fair Queueing (SFQ) slot, which would lead to
excessive packet drops. This behavior occurred because the IP tuple was not extracted
correctly for VLAN tagged packets.
With this fix, the IP tuple is extracted correctly for VLAN tagged packets.
 257863 Fixed an issue where the BMC would become inaccessible after the system is
shut down or its shared port is administratively brought down.
 258526 Fixed an issue where a syntax error, or some other formatting error, in the
Kerberos configuration file /etc/krb5/krb5.conf can cause SteelHead to crash. With this
fix, syntax or formatting errors are processed without causing a crash.
 260802 Fixed an issue that caused the "show running-config" command to fail when the
system configuration contains Unicode characters. The system was not properly parsing
Unicode, causing the command to abort before printing the system configuration.
 261671 Fixed an issue that caused rsyslog to fail to start due to files existing in /dev/log.
On start of rsyslog, /dev/log is checked for files; if any files are found, they are removed
before starting it.

13
 263535 Fixed an issue with the DNS cache statistics for hits and misses being reported
incorrectly as zero (0) after upgrading the SteelHead appliance to release 9.2.0.
This issue is limited to the hits and misses statistics only. This issue does not affect the
statistics shown in the DNS caching and cache utilization report.
 265020 Fixed an issue where type conversion during sysdump generation would cause
the sysdump to hang indefinitely.
 265055 Fixed an issue where GeoDNS for SteelHead SaaS Office 365 optimization
contained a memory leak in certain scenarios. This fix removes the leak that could build
over time leading to high CPU overhead.
 265896 Fixed an issue where optimization service disruption occurred when a TIMER
event was scheduled for processing while the SignX blade was shutting down. The fix
ensures that all pending events are cleared before the blade shutdown to ensure they
are not processed while the blade is shutting down.
 266502 Fixed a concurrency issue that caused the optimization service to crash when
more than one thread concurrently accessed a map to dump MAPI diagnostic
information. This happens when multiple threads encounter MAPI optimization failure
and attempt concurrent access to the map. The map is protected by a lock that will
avoid this crash.
 267620 Fixed an issue where a A MIB syntax error caused the SNMP tool (Net-SNMP) to
fail when parsing the file. The fix realigns the description in MIB files with the correct
syntax.
 268005 Fixed an issue where, in a rare scenario, the server-side MAPI/HTTP
optimization service might blacklist a client server pair while the client-side SteelHead
was working with it. This might cause the SteelHead optimization services to crash.
With this fix, the client-side MAPI/HTTP optimization service was corrected to not
assume resources will always be present.
 268381 Fixed an issue that prevented the WebUI from supporting TLSv1.2 connections
when the appliance is running in FIPS mode.
 268705 Fixed a race condition where multiple connections could corrupt the stream
splitting state and lead to a crash. Refactored the way this code was using locks to
eliminate the failure.
 269556 Fixed an issue where the optimization service could crash when an array in the
data store had an invalid value at a particular valid offset.
 270018 Fixed an issue where intermittent sensor issues may trigger a false power supply
error by adding an additional threshold before the alarm is triggered.
 271707 Fixed an issue where a lower-priority QoS rule would be used instead of the
higher-priority rule for an app when both a lower-priority app group rule and higher-
priority constituent app rule (both containing the same app) existed.

14
 273259 Fixed an issue where the server-side session reuse fails when the original
session was terminated before negotiation completed. The result is logged as
"error:140750DD:SSL routines:ssl23_connect:ssl23 doing session id reuse" if the session
is subsequently selected for reuse. This fix adds checks to ensure only fully negotiated
SSL sessions are allowed for session reuse.
 274237 Fixed an issue where the optimization service crashes when importing a
certificate that uses an ECDSA type key. A mgmt WARNING message accompanied the
crash stating "unknown public key type".
This fix makes updates that allow the use of certificates with ECDSA keys.
 274845 Fixed an issue with two processes accessing a critical region simultaneously,
which causes a failure of the optimization service. This condition occurs when a single
failure event is reported by two MAPI/HTTP connections at the same time.
 274972 Fixed an issue where optimization services stop unexpectedly when error
conditions for MAPI over HTTP connections are being processed.
 275001 Fixed an issue that caused NTLM authentication data to be corrupted between
the client and server. This issue only occurs when Exchange is configured to use RPC
encryption with NTLM authentication. The issue is more likely to affect configurations
where the domain, FQDN, or Exchange server names contain more than 30 characters.
On the Outlook client, this issue manifests as repeated password prompts during mail
operations. These repeated authentication attempts may cause the user's account to be
locked out.
 275764 Fixed an issue where certain types of HTTP connections generated a large
number of headers by bypassing connections with more than 255 headers.
 279654 PROPFIND requests are being blocked when the WebDAV optimization is
enabled. Either upgrade to a version with this fix or disable WebDAV optimization.
 280697 Fixed an issue where GeoDNS for SteelHead SaaS Office 365 optimization would
cause an Outlook client to show sporadic disconnect notifications. This behavior could
happen when the Outlook client used a different Office 365 IP address for subsequent
connections.
 280837 Fixed an issue where read aheads couldn't provide data to a disabled data
manager by stopping read aheads from being triggered when the data manager is
disabled.
 282285 Fixed an issue where appliances running a version of ssh and sshd that might
negotiate a FIPS-disallowed algorithm when running in FIPS mode, will cause the ssh
connection to fail. Attempts to upgrade the SteelHead via an SCC would also fail.
 282714 Enhancement: Added CLI command "reset factory preserve-licenses" to
preserve licenses when issuing a factory reset.
 282888 Fixed an issue where a SteelHead could attempt autodiscovery for a connection
even when it is configured to be passthrough. This behavior could happen when domain
labels are configured on the SteelHead, even if they are not used in an in-path rule.

15
Problems fixed in version 9.2.1d
 236123 Fixed an issue where opening the Connections Report page can sometimes lead
to the crash of the management process if the QoS feature is enabled on the SteelHead.
 254549 If the SteelHead has a QoS rule configured with a specific DSCP marking, and
also has path selection enabled for the same pass-through traffic with DSCP marking as
reflect, the packets are not DSCP marked. There is no workaround.
 267884 Fixed an issue where, in rare cases, an Outlook client using MAPI/HTTP will issue
a request that triggers a crash in the optimization services. With this fix, the MAPI/HTTP
optimization service has been updated to handle cases when the client makes a request
with a large number of server handles.
 268296 Fixed an issue to free memory allocated for OpenSSL context during SMB3
encrypted connection.
 272633 Fixed an issue where GeoDNS for SteelHead SaaS Office 365 optimization can
cause a kernel crash due to a race condition.
 274435 Fixed an issue that caused the optimization service to stop unexpectedly when a
MAPI over HTTP client opened a new authenticated request for a stream associated
with an existing accelerated request. The expected behavior in this scenario is that the
client's request should be passed through; however, an error in handling the
optimization state resulted in an optimization service shutdown.
Immediately prior to the optimization service shutdown, the following message may be
observed in the system log. (Note that the message itself does not indicate an error, but
it indicates that the conditions that may trigger this issue have occurred.)
[moh/blacklist.NOTICE] - {- -} Added to blacklist (Client IP: a.b.c.d, Server IP: e.f.g.h).
Reason: Could not process an unsupported HTTP format
To work around this issue, disable MAPI over HTTP optimization.
Problems fixed in version 9.2.1c
 263372 A fix was made to code that runs on server-side SteelHeads to handle memory
allocation failure correctly in the presence of domain-label processing.
 267989 Fixed an issue that was caused due to a feature change in the Netflow export
service. Path Selection export ID in the Netflow export service is now disabled by
default.
 273069 Fixed an issue where during sysdump generation GeoDNS for SteelHead SaaS
Office 365 optimization causes a CPU spike.
Problems fixed in version 9.2.1b
 272077 Fixed an issue where the SCC could fail to push policy configuration changes in
the qos, path selection, and secure transport functional areas, due to a DPI versioning
mismatch. This bug affected RiOS 9.2.1a only. Error messages such as the following
could be seen after an unsuccessful policy push:
[config.ERROR] Appliance has DPI version 1.2 which is not supported by SCC

16
Problems fixed in version 9.2.1a
 250710 Fixed an issue where optimization service crashes if a thread tries to allocate a
local structure larger than the stack size and fails. The solution is to allocate the local
structure on the thread’s stack up to a certain threshold size only. Otherwise, allocate
the structure from Heap.
 259435 Fixed an issue where Office365 connections were mis-classified as Skype-Auth in
the current connections table. The DPI library was updated to address this issue.
 268231 OpenSSL vulnerabilities described in
https://www.openssl.org/news/secadv/20160922.txt. Note that CVE-2016-6304 is a
high DoS, CVE-2016-6305 is a moderate DoS, and the others, including CVE-2016-2183
SWEET32 are low.

Details:
OpenSSL prior to 1.0.2i and 1.0.1u has vulnerabilities described in
https://www.openssl.org/news/secadv/20160922.txt. Note that CVE-2016-6304 is a
high DoS, CVE-2016-6305 is a moderate DoS, and the others, including CVE-2016-2183
SWEET32 are low. OpenSSL 1.0.2i has vulnerability CVE-2016-7052, a moderate DoS.

Fix:
OpenSSL has been upgraded to 1.0.2j or 1.0.1u.
Note that, for the CVE-2016-2183 SWEET32 vulnerability, the vulnerable ciphers are
moved from the HIGH to the MEDIUM category. This means that they will be disabled
by default in the web server with the current cipher string "HIGH:-aNULL:-kKRB5:-MD5".
However, if the cipher string has been changed to include MEDIUM or 3DES, this
vulnerability will still be present.

Recommendation:
Upgrade to a software version with the fix.
If MEDIUM or 3DES has been added to the web server cipher string, set a new cipher
string without it with "web ssl cipher" to disable the ciphers vulnerable to the CVE-2016-
2183 SWEET32 vulnerability.
 269380 Fixed an issue where time zone data on our devices do not account for two
recent time zone changes: Turkey adopting permanent +3 summer time, and a leap
second on 2016-12-31 23:59:60 UTC.
With this fix, the time zone data is upgraded to 2016g to account for recent time zone
change for Turkey and to include a leap second on 2016-12-31 23:59:60 UTC.
 270698 Enhancement: Updated the SteelHead DPI library to add support for identifying
new applications. This enhancement improves system performance, memory tracking,
and API debugging.
Problems fixed in version 9.2.1
 157369 Fixed an issue where SteelHead optimization might be disrupted when a MAC
OSX server responds with a lease request when a lease is not requested.

17
 238799 An RBM user with no read or read-write roles assigned is denied access to the
WebUI with the following error: "Unable to sign in: Failed obtaining authorization data
for user." Ensure that RBM users have at least one read or read-write role assigned to
their account.
 254285 Fixed an issue where more than 500 logins would cause the web daemon to use
up too many file descriptors, causing the management backend to become
unresponsive.
 254647 Fixed an issue where the optimization service to parse Citrix ICA frames when
Auto-Negotiate Multi-Stream ICA is enabled on the client SteelHead and Citrix latency
optimizations (Client Drive Mapping, Small packets) are disabled. The fix will enable the
capability in the optimization service to find the connection priority of the 4 Multi-
Stream ICA connections and classify them for QoS. Without the bug fix, the 4 Multi-
Stream ICA connections will not be classified for QoS when Citrix latency optimizations
are disabled.
 255015 Fixed a problem where the SteelHead did not release all of the memory it had
allocated when processing HTTP responses with more than 255 HTTP headers. This fix
prevents unnecessary memory admission control. An in-path rule can be added to
bypass traffic to an HTTP server that generates excessive HTTP headers.
 255071 Fixed an issue where SteelHead optimization services would fail when Citrix
optimization services attempted to encrypt a packet with a length that is not a multiple
of 8 bytes. The RC5 encryption routine would write up to 8 bytes past the end of a
buffer, which might corrupt memory and lead to a crash.
 255263 Fixed an issue where data store corruption could occur after a model upgrade
on Steelhead CX555 and CX755 models, requiring an optimization service restart along
with clearing the data store.
 255391 Added a CLI command to set the serial bit rate of the remote management
console. Platforms that do not support this command (such as Tarpon) will indicate so at
the time the command is issued with no further effect.

18
 255613 CVE-2014-3566: SSL/TLS: Padding Oracle On Downgraded Legacy Encryption
attack

Details:
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a
man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few
as 256 tries if they are able to force a victim application to repeatedly send the same
data over newly created SSL 3.0 connections. See
https://access.redhat.com/security/cve/cve-2014-3566. (POODLE attack)

Note: This is for the NSS software used internally by some base operating system
programs; it is not for the OpenSSL software used for optimization or the HTTPS access.

Fix:
Upgraded nss, nss-sysinit, nss-util, and their dependency RPMs to fix CVE-2014-3566.

Recommendation:
Upgrade to a software version with this fix. Upgraded
 255865 The "sport listen-backlog" CLI command is used to increase the SYN packet
backlog for the SteelHead inner connection socket. This patch addresses the issue with
an incomplete implementation of this feature.
 256958 Fixed an issue where a Gratuitous 401 reply was including a transaction ID
header that Outlook was using internally. Solution is to be stricter about following cache
rules and avoid optimizing the problem request. There are two possible options
available to work around this issue; only one is needed:

1) Enable the MAPI-over-HTTP optimization, along with an appropriate in-path rule set
to "Exchange Autodetect", to fully optimize the MAPI-over-HTTP traffic.

2) Create a server/subnet rule to disable the "Gratuitous 401" option for the MAPI
server. Alternatively, this can be disabled globally via the auto-config rules. Note the
server/subnet rule is preferred to avoid performance hits on HTTP traffic.

19
 257093 CVE-2016-1979 and CVE-2016-1978 nss: Use-after-free during processing of
DER-encoded keys and during SSL connections in low memory

Details:
CVE-2016-1978, CVE-2016-1979: Use-after-free vulnerabilities in NSS libraries when
processing DER-encoded keys. This library is not used by Riverbed optimization or
management software, but is used by base operating system software.

Fix:
Upgraded NSS and NSPR to a version with the fix.

Recommendation:
Upgrade to a software version with the fixed NSS and NSPR.
 257106 CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow

Details:
CVE-2014-4607: lzo may have an integer overflow that could allow a specially crafted
file to cause a crash or execution of arbitrary code.

Fix:
Upgraded lzo to a version with the fix.

Recommendation:
Upgrade to a version of the software with the fixed lzo.
 257229 CVE-2011-2504 x11perfcomp has dot in its path

Details:
CVE-2011-2504: Untrusted search path vulnerability in x11perfcomp in XFree86 x11perf
before 1.5.4 allows local users to gain privileges via unspecified Trojan horse code in the
current working directory. Although X11 servers and the named programs are not
present on SteelHead appliances, a vulnerability may exist in the libxcb library that may
be used by other programs.

Fix:
Upgraded libxcb to fix this vulnerability.

Recommendation:
Upgrade to a software version with the fix.
 257344 Fixed an issue where non-HTTP connections that are handled by an optimization
policy of Exchange Autodetect may leak memory. Over time this memory leak could
cause the SteelHead to crash.

20
 257361 Fixed an issue that caused "/var/tmp" on the SteelHead to fill up with
"tmpXXXXXX" files, which resulted in disk full errors. When configuration backups from
the SteelHead to the SCC failed, the temporary files in "/var/tmp" were not cleaned up.
Over time this led to "/var" becoming full, and disk full errors were printed in the logs.
 257723 Fixed an issue where the MAPI optimization services for RPC over TCP and
Outlook Anywhere could sometimes encrypt packets with the incorrect authentication
context information. The MAPI optimization services now ensure that the correct
authorization context is used when encrypting packets.
 257926 Fixed an issue that in very rare instances, a MAPI/HTTP association might trigger
a blacklist event for a client-server pair for up to 19 minutes. A log message indicates
the blacklist event and the reason is displayed as ‘Reason: Accelerator command queue
backup detected.’ To work around this issue, disable MAPI/HTTP optimization.
 258395 Fixed an issue where a Central Management Console (CMC) policy push
involving many SSL certificates could fail, which caused SteelHeads to lose management
access and required a reboot to recover. This fix involved increasing the time allowed
for the certificate transfer, cleaning up data structures in the event of a transfer failure,
moving intermittent files involved with the transfer to a scalable partition, and adjusting
the size of the partition involved.
 258522 Fixed an issue where GeoDNS for SteelHead SaaS Office 365 optimization causes
high CPU overhead. This could happen when clients are using a different DNS server
than those configured on the SteelHead appliance or when a large number of clients are
being GeoDNS optimized and cleanup of the GeoDNS entries are very frequent.

21
 258529 OpenSSL Security Advisory May 3, 2016

Details:
From https://www.openssl.org/news/secadv/20160503.txt: CVE-2016-2107: Padding
oracle in AES-NI CBC MAC check (high) A man-in-the-middle attacker can use a padding
oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the
server supports AES-NI (AES hardware support). Some Riverbed appliance hardware
does support AES-NI.

CVE-2016-2105: EVP_EncodeUpdate overflow (low)

CVE-2016-2106: EVP_EncryptUpdate overflow (low) This function is used by the
optimization service in SteelHead.
CVE-2016-2109: ASN.1 BIO excessive memory allocation (low)
CVE-2016-2176: EBCDIC overread (low) Not vulnerable, since the system does not use
EBCDIC.
CVE-2016-2108: Memory corruption in the ASN.1 encoder (high) Fixed in previous
releases: SteelHead 8.6.3, 9.0.1d, 9.1.1, 9.2.0; Interceptor 4.5.3, 5.5.0; SCC 9.1.0e, 9.2.0,
SteelFusion 4.2.0, 4.3.0.

For releases that do not have this fix, configure the following to mitigate CVE-2016-
2107:
- For "ssh server allowed-ciphers," do not include aes128-cbc, aes192-cbc, or aes256-cbc
(these are not enabled by default).
- For "web ssl cipher," the default is "HIGH:-aNULL:-kKRB5:-MD5." To remove the AES
CBC ciphers, use "HIGH:-aNULL:-kKRB5:-MD5:-PSK-AES128-CBC-SHA:-PSK-AES256-CBC-
SHA." Note: If you have a different cipher string, there may be other AES CBC ciphers
that need to be disabled as well.

Fix:
Upgraded OpenSSL to 1.0.2h (for SteelHead 9.2.1, 9.3.0; Interceptor 5.5.1; SCC 9.2.1,
SteelFusion 4.4.0) or 1.0.1t (for SteelHead 9.1.3; Interceptor 5.1.0; SCC 9.1.1).

Recommendation:
Upgrade to a release with the fix.
 258838 Fixed an issue where the local time for Venezuela is a half hour off. This is due
to Venezuela changing from UTC-4.5 to UTC-4 on 2016/05/01. Upgraded tzdata from
2015a to 2016d, which includes updated information for Venezuela.
 259112 Fixed an issue where the handling of HTTP transactions by the Outlook
Anywhere optimization service could lead to an excessive amount of logging. In some
rare cases, it could lead to mishandled data if the HTTP request used the "Expect: 100-
continue" header. The Outlook Anywhere optimization server now correctly bypasses
HTTP connections whenever it sees a request containing the "Expect: 100-continue"
header.

22
 259342 Fixed an issue by updating SSL code to more aggressively discard obsolete
cached session information, which could lead to memory admission control or an
optimization service crash.
 259917 Fixed an issue where path selection would stop working. The PathCloset service,
which maintains the paths on a SteelHead, is dependent on Appflow service where
path-selection config resides. If the PathCloset service came up before Appflow on the
SteelHead, it could lead to a failed query.
 260279 Fixed an issue where due to randomization of the order in which URL query
parameters are issued by Youtube clients, web proxy is less effective in caching YouTube
content. The fix normalizes the URL query parameters sent by YouTube clients and helps
increase the amount of cache hits seen by the customers for YouTube traffic
 260458 Fixed an issue in SMB2 serialization logic. When a setinfo request was sent on a
child directory/file and a find request was sent on the parent of it with the search
pattern the name of the child, the setinfo had to be processed first. This flaw in the
serialization logic could cause RiOS to fail.
 260803 Fixed an issue where an HTTP parsing failure of a range header could lead to a
dropped connection, when a SteelHead running RiOS 9.2.0 is peered with another
version. This problem is limited to 9.2.0 RiOS, and there can still be failures when a RiOS
9.2.0 SteelHead peers with a fixed version.
 260911 Fixed an issue where an optimization service crash occurred when the client-
side SteelHead is running RiOS 9.1.2a and later, and the server-side SteelHead is running
RiOS 9.1.2 or prior, and low strength ciphers for optimized SSL traffic are enabled on the
server-side SteelHead. Enhanced checks on the client-side SteelHead to gracefully
bypass traffic when the client-side SteelHead does not support ciphers negotiated by
the server-side SteelHead.
 261532 Fixed an issue that caused Office 365 SharePoint connections to fail when
optimized through SteelHead SaaS. This fix prevents SharePoint traffic from incorrectly
presenting an Office 365 Exchange service certificate, causing failed connections. The
SteelHead SaaS service now identifies SharePoint service correctly and ensures that the
right certificate is used for the connection.
 261591 Fixed an issue where the Outlook Anywhere optimization service would buffer
chunk-encoded HTTP data that was unrelated to Outlook Anywhere. If these HTTP
chunks were large enough, it could cause memory problems on the SteelHead. The
Outlook Anywhere optimization service no longer buffers non-Outlook Anywhere
chunk-encoded data.

23
 261870 Fixed an issue in releases 9.1.3 and 9.2.0 that caused SCC backups of SteelHeads
to fail after a week. The login authentication token the SCC uses when connecting to the
SteelHead for backup operations expired, causing backups to fail. After upgrading to the
9.1.3a fixed version, an authentication token may still remain, expire, and cause backup
operations to fail. Create a new, un-expiring, authentication token by restarting the
"rpgd" process on the SteelHead. This can be done manually on the SteelHead via the
command "pm process rgpd restart". This can also be done remotely on the SCC using
the "Send Commands" functionality on the Appliances website when no policy push or
upgrade operations are in progress. Versions where the fix for bug 264708 is applied,
will not need to perform the "rpgd" process restart.
 262810 August 10, 2016, Riverbed security advisory for SteelHead and SteelFusion Edge
for NetShark features

Details:
The SteelCentral NetShark feature on the SteelHead CX, SteelHead EX, and SteelFusion
Edge appliances is using an outdated version of OpenSSL (0.9.8k), which includes several
known security vulnerabilities.

Fix:
NetShark functionality will no longer be visible as a configurable option. In a subsequent
RiOS release, NetShark functionality will be removed.

Workaround:
Customers with NetShark enabled in RiOS, including the deprecated versions, should
disable this feature. For more details see the following Knowledge Base article:
https://supportkb.riverbed.com/support/index?page=content&id=S28669
 264708 Fixed an issue that caused SCC backups of SteelHeads to fail after first upgrading
from 9.1.3 to 9.1.3a. The SCC session initially uses login authentication tokens generated
in 9.1.3 that include an expiration. When the token expires, it causes SCC backups to fail.
This issue only impacts systems that previously loaded 9.1.3 and can occur up to 7 days
after upgrade to 9.1.3a.
Problems fixed in version 9.2.0
 145734 Fixed an issue so that the sport.log files are written to after performing a log
rotation. Also ensures the currently active sport.log file and all archived sport.log files
are included in the archive on a full sysdump generation.
 161036 Fixed an issue where a SteelHead connecting to the Cloud Portal through a
proxy server would present the Content-Length header, causing a failed connection. The
SteelHead now does not include Content-Length in the request. A hidden command has
been added to allow the SteelHead to revert to previous behavior, in the case of proxy
servers that require it.
 165036 Fixed a problem where the stats report sent via email for the App Visibility
feature did not contain any headers. This made it difficult to understand what each
column of data represented.

24
 165826 Fixed an issue where SteelHead did not support SSL elliptic curve diffie-hellman
(ECDHE) key exchange connections. Support has been added for ECDHE connections.
 167022 Fixed an issue in the SNMP service that caused the IF-MIB::ifHCInUcastPkts.*
counters when read through SNMP, to give large incorrect values that appear to
decrement instead of increment when packets go through the associated interfaces.
 167751 Fixed an issue where the optimization service on a SteelHead crashed when the
SteelHead disconnected from an optimization peer. The issue occurred when the
SteelHead was processing a large number of FTP or MAPI connections.
 197885 Fixed an issue where logs may appear similar to "[cli.ERR]: user admin:
check_if_dx(), lr_dx.c:28, build 186: Error code 14001 (unexpected NULL) returned".

No workaround is available. This error does not impact functionality and can be safely
ignored.
 198675 CVE-2013-4782 - A BMC security vulnerability was discovered that impacts
SteelHead xx50, EX560, and EX760 models.

Details:
A BMC security vulnerability was discovered that impacts SteelHead xx50, EX560, and
EX760 models.
CVE-2013-4782 - The BMC implementation allows remote attackers to bypass
authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher
zero) and an arbitrary password.

Recommendation:
Upgrade to patched version if applicable.
 218962 Fixed an issue where the SteelHead application classification engine was
classifying certain applications wrong. For example, O365 connections could be
classified as Skype. The classification engine has been upgraded to a version that
correctly classifies all supported applications.
 219716 Fixed an issue where an incomplete cleanup in one of the optimization process
components could cause the optimization service to fail during restart with errors
similar to "address in use".
 220037 Fixed an issue where a kernel panic could occur when successive IP fragments
belonging to a transparent, optimized, and locally existing connection arrived on the
optimization module and another interface (e.g. the primary interface). The fix is to
make sure that the optimization module uses its own defragmentation queue instead of
the defragmentation queue of the kernel.
 220338 Fixed a problem that prevented the "monitor" user from selecting the units to
be displayed in both the Inbound and Outbound QoS reports. Previously, the selection
drop-down list was improperly disabled.

25
 221778 Fixed an issue that occurs when HTTP based services use chunk encoding to
transfer large amounts of data, but at slow rates over time. One example was a stock
ticker widget that received a continuous stream of small price updates. When this
occurs over multiple connections simultaneously it can lead to out of memory
conditions. The slow data rate is significant because small packets bypass the
deduplication provided by scalable data referencing (SDR) and exacerbate memory
consumption. A chunk limit has been added to limit response data buffering. Bufferring
limits have been put into place to prevent this from leading to errors
 221961 SSL optimization fails with error "SSL3_GET_SERVER_HELLO:parse tlsext" when
Client Authentication is enabled on the SteelHead and the client/server negotiate use of
SSL Session Tickets. Session Tickets can be used for SSL session resumption and are
negotiated by the client and server during the SSL handshake. Both the client and the
server must advertise support for Session Tickets in order for Session Tickets to be used.
In a typical SSL optimization, the SSL handshake is terminated at the server-side
SteelHead. Since the SteelHead does not support Session Tickets, the SteelHead did not
advertise support for them and the Session Tickets were never used. However, when
Client Authentication is enabled on the SteelHead, Client Authentication must allow the
client and server to negotiate directly, which may result in a Session Ticket being
established. The SteelHead later encounters an error when parsing the SSL handshake
messages and the connection fails. To remedy this, Session Ticket support must be
enabled on the SteelHead by using the following CLI command:

[no] protocol ssl backend client session-ticket

This command allows the SteelHead to parse the SSL handshake messages containing
Session Tickets. Note that this does not imply that the SteelHead can decrypt Session
Tickets generated by another server. This means that the servers doing Client
Authentication cannot be optimized when the client uses a Session Ticket to resume a
session. (Session resumption using Session ID is still allowed). However, if the server is
not doing Client Authentication, the SteelHead retroactively terminates the connection
at the SteelHead. The only difference is that the original client handshake message was
forwarded to the server. Forwarding the handshake message, allows the SteelHead to
generate its own Session Tickets and enables SSL optimization to work in all resumption
cases. Subsequent connections to the server will terminate at the SteelHead and will
follow the typical SSL optimization model. The solution is to disable SSL Client
Authentication.

26
 222693 Fixed an issue when RADIUS authentication is configured, passwords longer
than 272 characters can cause the Management Console to become temporarily
unavailable. This issue is only applicable if RADIUS based authentication is used on the
appliance. A fix in the third-party PAM_Radius library was made to prevent the
Management Console from exiting and restarting when passwords longer than 272
characters are entered. A restart of the Management Console triggers the following
message in the system log, and in an email notification: "Process failure: manage.py"

Workaround:
Temporarily disable RADIUS based authentication.

Recommendation:
Upgrade to patched version if applicable.
 225191 Fixed an issue where the SteelHead optimization service could crash if sufficient
contiguous memory is not available. This issue was fixed by preallocating and reusing
adequately sized memory blocks. In addition, connection load balancing is now disabled
whenever SDR-Adaptive is enabled.
 225445 Fixed an issue where the optimization service could crash during the CIFS share
directory parse operation. This fix added checks to avoid accessing invalid information
that could cause the optimization service to crash.
 226757 Fixed an issue where log messages make it look like the "yarder_rbt" process
has crashed when it has actually shut down normally. The amount of time that the
system process manager waits for a process to shutdown before forcing it to exit has
been increased for "yarder_rbt".
 229753 Fixed an issue wherein the file transfers from servers to the OSX 10.9 clients are
slow. A new hidden CLI command on the client-side SteelHead has been added for faster
file transfers to OSX 10.9 clients. To enable SMB2 optimization on the OSX 10.9 clients,
use the following CLI command:
protocol smb2 mac-oplock enableÂ
To disable this feature, use the no version of the command:
no protocol smb2 mac-oplock enable
 231646 Fixed problem where packets could be corrupted when the SteelHead has DSCP
marking enabled and sees VLAN tagged broadcast packets (such as DHCP) going from
LAN to WAN. If a software upgrade is not an option, disable DSCP marking or change
specific rules.
 231991 Fixed an issue in the User Interface that made all port label names lower case
before being saved to the database.
 232738 This fix corrected the condition where accelerated responses to the Outlook
client were sent under the wrong authentication context resulting in the Outlook client's
state being corrupted.

27
 235715 Fixed an issue where, in rare cases, the priority detection used to label Citrix MSI
traffic for QoS fails to correctly identify the stream priority. In this case, the stream is
identified as Citrix-CGP. Additionally, SSL warnings may be seen when the connection is
closed. The Citrix optimization feature now looks for any occurrence of the priority
command, not just the first one, until it identifies a valid priority.
 235947 cURL cumulative security update for security advisories adv_20150422A,
adv_20150422B, adv_20150422C, and adv_20150422D

Details:
CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent over the connection
authenticated as a different user. This is similar to the issue fixed in DSA-2849-1.
CVE-2015-3144 When parsing URLs with a zero-length hostname (such as "http://:80"),
libcurl would try to read from an invalid memory address. This could allow remote
attackers to cause a denial of service (crash). This issue only affects the upcoming stable
(jessie) and unstable (sid) distributions.
CVE-2015-3145 When parsing HTTP cookies, if the parsed cookie's "path" element
consists of a single double-quote, libcurl would try to write to an invalid heap memory
address. This could allow remote attackers to cause a denial of service (crash). This issue
only affects the upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as authenticated, making it
possible to reuse it and send requests for one user over the connection authenticated as
a different user.

Not Applicable:
CVE-2015-3144, and CVE-2015-3145

Fix:
Upgraded cURL utility to 7.44.0

Recommendation:
Upgrade to patched version if applicable.
 236318 Fixed an issue to update the Path Selection page to properly show all sections of
the page as disabled but visible when the logged in user has read-only permissions to
everything.
 236378 Fixed an issue where under heavy load conditions, SteelHeads in a Connection
Forwarding cluster would fail to send control messages to their connection forwarding
neighbors, resulting in the neighbors failing to remove stale entries leading to an out-of-
memory condition. An enhancement has been made that reduces control-message
failures on the SteelHead so that out-of-memory conditions and process failures on
neighboring Steelheads and Interceptors no longer occurs.

28
 237568 Fixed an issue where the Path Selection engine would log an INFO level message
once for every flow based on customer policies. This issue could overwhelm the logs in
cases where there are a large number of relayed flows. The fix ensures that RiOS does
not log the message for any relayed flows.

Example message:
[rbtqos.INFO] 172.29.81.103:61919 -> 10.3.5.60:445 proto 6 now being relayed
Excessive logging of this message could leave to rate limiting, indicated by a
'kernel:__ratelimit' messages.
 237772 Fixed an issue where, on SteelHead models CX255, CX570, and CX770, the LAN
and WAN interface links can go down briefly during an optimization service restart. This
issue existed on all previous RiOS releases.
 238050 Fixed an issue where SNMP access might be very slow (an hour or so) when
there is a large number (tens of thousands) of connections due to an insert-and-sort-
each-time procedure. Tools like snmpwalk time out. The SNMP server has been
changed to build its internal array of connections more quickly so that an snmpwalk or
snmpbulkwalk query to an appliance with tens of thousands of connections will take a
few minutes instead of a few hours. The use of the -t option in snmpwalk or other tools
might still be necessary to increase the timeout, but a more reasonable value like "-t
200" can be used.
 238512 Fixed an issue with GeoDNS for SteelHead SaaS Office 365 optimization causing
high CPU overhead. This could happen either when a large number of clients are being
GeoDNS optimized or when clients are using a different DNS server than those
configured on the SteelHead appliance.
 238925 Fixed an issue where QoS-related processes crash repeatedly after reboot when
a new in-path interface is added after configuring remote sites.
 239153 Updated Web-Proxy cache to support HTTP/1.1 so that HTTP Pre-population can
be utilized.
 239271 Fixed an issue where the optimization service could crash when LAN or WAN
cables were removed and/or reconnected while the appliance was optimizing
connections.
 239757 Fixed a bug where a certificate, created using a CSR from the SteelHead, could
not be used to "replace" the current certificate through the Web Settings page.
 240007 Fixed an issue with CIFS Prepopulation Web UI and CLI interface showing
incorrect next full synchronization time.
 240539 Fixed an issue in SteelHead version 8.6.x and later where a path-selection policy
push from the SCC to SteelHead would fail.
 240730 Fixed a problem by correctly honoring the metadata cache timeout, even for
timeout values less than 1000 ms. With this fix, the cache timeout can be set to an
appropriate value to suit a specific scenario. A timeout of 0 ms would stop CFE from
answering the GetInfo requests locally and forward them to the server.

29
 240747 Fixed an issue where a kernel panic could occur in certain configurations using
full address transparency in-path rules, leading to an optimization service restart. This
issue impacts RiOS v8.6.2 and later, v9.0.x, and v9.1.x.
 240843 Fixed an issue where a false positive redundant power supply alarm would raise
and clear intermittently. A symptom of this bug is seeing the alarm consistently clear
one minute after it was raised.
 240976 Fixed an issue where a kernel crash could occur affecting appliances running
traffic across an interface with an e1000e driver, which is commonly used by several
models on the on-board in-path interface. Messages such as these can be seen:
Jun 20 08:53:57 localhost kernel:IP: [<ffffffff8144dfe1>]
e1000_xmit_frame+0xd51/0x1000
 241025 Fixed an issue where out-of-memory conditions on the CX555 appliance model
could lead to restarts of optimization and other vital services. This fix adjusted memory
handling of the CX555 appliance to reduce the likelihood of hitting an out-of-memory
condition. Out-of-memory conditions can lead to restarts of optimization and other
vital services.
 241055 Fixed an issue where disabling the public facing REST API server would prevent
the SteelCentral Controller from pushing the configuration to an appliance.
 241099 Fixed an issue in the Management Console's handling of Unicode characters
wherein the use of special characters or accented letters in the 'login message' banner
could break some pages or prevent login. This fix does not address a similar issue with
the MOTD banner, where the same characters can break some pages or prevent login.
 241120 Fixed an issue where a UI page load error appears when trying to open pages
such as QoS and 'Sites and Networks.' This error occurs when a SteelHead appliance has
an interface card installed in slot 6. Messages like the following appear in the system
logs: Jul 8 09:19:19 sv-sh202 lumberjack_rbt[35484]: [sh.appflow.INFO] The wan6_0
interface ifindex is not available
 241231 Fixed an issue where the SteelHead could become unresponsive if the Secure
Peering gray list grew too quickly. With this fix, the rate at which peers are added to the
Secure Peering gray list is limited to once every 5 seconds.
 241246 Fixed an issue where the optimization service would crash or large numbers of
error messages stated, “Unable to construct frame from …,― by changing the
way the SteelHead parses traffic so that newer Citrix protocol variants are bypassed.
 241291 Fixed an issue where packets decrypted using Secure Transport were not sent
out with the configured VLAN of the optimization interface when the connection-based
VLAN feature is enabled. Decapsulated packets would need to pick up the VLAN
configured on the optimization interface even if the connection-based VLAN feature is
enabled.

30
 241333 OpenSSL cumulative security update for advisory - secadv_20150709

Details:
This update addresses the following issues:
CVE-2015-1793: Alternative chains certificate forgery
For more information, see: https://www.openssl.org/news/secadv_20150709.txt

Fix:
The OpenSSL library in RiOS management has been updated to version 1.0.1p to patch
the above issue.

Recommendation:
Upgrade to patched version if applicable.
 241382 Fixed an issue where upgrading a SteelHead CX1555H to RiOS 9.1.0 or later fails
if the upgrade encounters an unexpected partition layout on the management drives.
 241422 Fixed an issue where accented characters or special symbols in the Message of
the Day (MOTD) banner could cause logins to fail or rendering problems in the
Management Console.
 241573 Fixed an issue where the Outlook Anywhere auto-detect mechanism could
misinterpret HTTP payload and cause an optimization service crash. The fix allows
identification of unexpected source responses, the connection is passed though, and a
message is logged: "enable pass-thru: unexpected data after headers." Disable Outlook
Anywhere auto-detect and add an in-path rule to use Outlook Anywhere latency
optimization only for Microsoft CAS servers.
 241773 Fixed a crash that can occur while optimizing MAPI RPCH traffic caused by
negative Content-Length headers. Although it is not allowed by the HTTP specification,
Microsoft servers can return negative Content-Length header values, which trigger an
ASSERT in the RPCH code. Instead of crashing, with this fix the software passes through
the traffic and logs an INFO level log: "enable pass-thru: Content-Length header is
negative: -1".

31
 241917 CVE-2015-4620 - ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before
9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows
remote attackers to cause a denial of service.

Details:
name.c named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-
P2, when configured as a recursive resolver with DNSSEC validation, allows remote
attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by
constructing crafted zone data and then making a query for a name in that zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to address
CVE-2015-4620.

Recommendation:
Upgrade to patched version if applicable.
 241918 CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a
denial of service

Details:
A denial-of-service (DOS) flaw was found in the way the libxml2 library parsed certain
XML files. An attacker could provide a specially crafted XML file (related to an XML
Entity Expansion (XEE) attack) that, when parsed by an application using libxml2, could
cause that application to use an excessive amount of memory.

Fix:
The libxml2 has been updated to patch CVE-2015-1819.

Recommendation:
Upgrade to patched version if applicable.
 241998 Fixed and issue where the Application Statistics REST API "resolution" and
"rollup_function" parameters were incorrectly exposed. Setting these values may result
in inaccurate data. Do not set these unsupported parameters.
 242060 Fixed an issue where the optimization service would crash or large numbers of
error messages stated, “Unable to construct frame from …,― by changing the
way the SteelHead parses traffic so that newer Citrix protocol variants are bypassed.
 242237 Fixed a problem where the reset of TCP connections on 32-bit appliances failed
due to mismatched library versions. Fixed by using the appropriate library for 32-bit
appliances.
 242318 Fixed an issue where "image fetch" times out after 5 minutes for scp:// URLs.
This behavior could occur if the link that image was transferred over was slow, resulting
in the file transfer taking more than 5 minutes. The timeout handler has been updated
to monitor transfer progress, instead of closing the connection if a transfer cannot
complete under 5 minutes.

32
 242330 Fixed an issue where importing SSL certificates that have commas in their
hostname would cause an error in the Administration -> Security -> Web Settings UI
page.
 242633 Enhancement: Improved the size allocations for SSL encryption buffers. This
change reduces the amount of memory allocated for small SSL alert messages.

Additional Info: This change is not a solution to SSL sizing constrains and will not
increase the secure connection capacity on a SteelHead.
 242661 Fixed an issue where a message "[rpch/csh.NOTICE] 1019415 {10.1.2.3:20000
10.4.5.6:80} HTTP headers > 64KB, passing through connection" appears in the log.
Under certain conditions, this message appears while examining an HTTP connection for
Outlook-Anywhere traffic to a web server that is not an Exchange server. No
workaround is needed. To prevent this message, you can disable Outlook Anywhere
auto-detect and add an in-path rule to use Outlook Anywhere latency optimization only
for Microsoft Client Access Servers (CAS).
 242979 Fixed an issue where persistently high CPU utilization can occur when the
system attempts to send very large files, such as a large system dump, via email. Failure
events, such as process crashes, send email notifications accompanied with sysdumps
and can trigger the high CPU.
 243000 Fixed an issue where the Outlook Anywhere optimization service was incorrectly
intercepting non-MAPI traffic. This issue was fixed by changing the behavior of HTTP
parsing to allow for case-insensitive searching of the HTTP header for the content length
field.
 243171 Fixed a problem where a race condition corrupts the connections map data and
causes the optimization service to crash when Outlook Anywhere is enabled. Applied
fixes to improve management of strings and reduce race conditions so the connection
map would not be corrupted.
 243604 Fixed an issue on the Web Proxy that caused intermittent access to certain Web
pages. This behavior occurs when the Web server that the client is connecting to sends a
Keep-Alive header in the HTTP response. As a result, the connection between the client
and the proxy, and the connection between the Web proxy and the server are kept
alive. If the server sees no data for some time, it closes the socket on its side (generally
after a short timeout). The client, during this time, initiates a new HTTP request on the
kept alive connection to the proxy. The Web proxy then sends a "Service Unavailable"
error and also closes the connection to the client because it cannot guarantee that the
configured network rules for the client-side connection can be applied on a new server-
side connection. To fix this issue, when the server closes the connection, the SteelHead
propagates the connection close to the client. This ensures that the client does not
reuse a connection that has the corresponding server connection closed.
 243632 Fixed a issue where a kernel crash could occur crash when the system was low
on available memory. The signature of the crash is a message like the following:
Aug 22 02:16:15 localhost kernel: [<f9287d03>] hnbi_delete_init_data+0x2b/0x50 [nbt]

33
 243748 Fixed an issue where when the IP packet has Ethernet trailer bytes, resulting in a
RiOS kernel crash. The packet processing modules have been updated to handle IP
packets with Ethernet trailer bytes properly.
 244078 Fixed an issue, introduced in RiOS 9.0, that prevented the "web http redirect"
command from automatically routing Management Console traffic to the secure HTTPS
port. When this command was executed access to the Management Console failed in a
redirect loop.

Workaround:
Use https:// instead of http:// to access the web UI.

Additional Information:
When connecting to fixed versions, the browser cache may still need to be cleared in
some cases.
 244238 Fixed and issue where the MIBs hrSWRunPerfCPU and hrSWRunPerfMem were
not reporting the correct values by the SNMP server. The SNMP server no longer
improperly parses the /proc/$pid/stat, causing incorrect values to be returned.
 244832 CVE-2015-5986 - openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3
allows remote attackers to cause a denial of service
CVE-2015-5722 - buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service

Details:
CVE-2015-5986: openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 allows
remote attackers to cause a denial of service (REQUIRE assertion failure and daemon
exit) via a crafted DNS response.
CVE-2015-5722: buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service (assertion failure and daemon exit) by creating a
zone containing a malformed DNSSEC key and issuing a query for a name in that zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to 9.9.7-P3.

Recommendation:
Upgrade to patched version if applicable.

Note: the DNS cache feature which utilizes BIND is turned off by default, and does not
use DNSSEC.
 244916 Fixed an issue where HTTP responses could drop during the transition from
optimized individual transactions to bypassed pipelined requests.
 244961 Enhancement: TLSv1.2 support is enabled by default beginning with RiOS 9.2.
This affects both new installations as well as upgrades. Compatibility issues with older
versions of RiOS have been addressed and the SteelHead will automatically down
negotiate as necessary.

34
 245069 Fixed an issue where the optimization service was mishandling an oplock break
response from an optimized SMB3 encrypted connection from the server, resulting in a
failed file download. With this fix, the oplock break responses are correctly handled and
the client is able to read or download the file.
 245223 Fixed an issue where the optimization service might crash when the system
recycles an Outlook Anywhere connection in a way that is not permitted by the
protocol.
 245362 Fixed an issue where an IPMI alarm could be triggered by a false power supply
predictive failure state.
 245876 Fixed an issue to ensure a state reset of the red triangle indicating an error
whenever the user opens the site Add or Edit panel. The error symbol will disappear
upon the next successful Add or Edit of a site or upon page refresh.
 246054 Fixed an issue in RiOS 9.0.0 and later where system service issues could lead to
symptoms such as a database configuration switch errors like the following: "Config
change has not completed successfully" An additional symptoms is the Secure Transport
service not starting properly. A condition that makes this failure more likely is a DNS
server being unreachable (such as a network failure). To work around this issue, switch
away from the configuration, and then switch back to the desired one. If the error
persists, restore DNS reachability and re-attempt the configuration switch.
 246073 Fixed an issue where optimized HTTP connections could fail due to the
interaction of HTTP Prefetch optimization, Outlook Anywhere optimization, and the use
of chunked encoding by the HTTP server. With this fix, the two optimizations now
interact correctly and client HTTP connections are no longer blocked.
 246124 Fixed an issue where the SNMP ifindex for wan6_1 could differ between an
upgraded and factory defaulted appliance. The index value, introduced in RiOS 9.1.1,
could be 109 or 114 depending on which version the appliance was upgraded from and
to, and whether a factory default was applied. The fix ensures that the index value is
109 in both the upgraded and factory default cases.
 246275 Fixed an issue where the optimization service could crash while processing an
SMB2 getinfo response from the server. This fix added checks to avoid accessing invalid
information that could cause the optimization service to crash.
 246865 Fixed an issue where a 10 Gigabit interface is configured to support jumbo
frames (MTU > 1500), there are several pause frames generated by the interface. The
large number of pause frames caused Cisco switches to drop packets.

35
 246966 CVE-2015-7871: Crypto-NAK packets can be used to cause ntpd to accept time
from unauthenticated ephemeral symmetric peers by bypassing the authentication
required to mobilize peer associations

Details:
NTP has security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vul
ner
Only CVE-2015-7871 is applicable:
Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated
ephemeral symmetric peers by bypassing the authentication required to mobilize peer
associations.
The following vulnerabilities are not applicable:
CVE-2015-7855
CVE-2015-7854
CVE-2015-7853
CVE-2015-7852
CVE-2015-7851
CVE-2015-7850
CVE-2015-7849
CVE-2015-7848
CVE-2015-7701
CVE-2015-7703
CVE-2015-7704, CVE-2015-7705
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702

Fix:
Upgraded NTP to 4.2.8p4 to address the security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vul
ner, notably CVE-2015-7871.

Recommendation:
Upgrade to patched version if applicable

36
 247050 CVE-2015-3238: An attacker able to supply large passwords to the unix_pam
module could use this flaw to enumerate valid user accounts or cause a denial of service
on the system.

Details:
The PAM module has been upgraded to fix the vulnerability caused by CVE-2015-3238,
where an attacker able to supply large passwords to the unix_pam module could use
this flaw to enumerate valid user accounts or cause a denial of service on the system.

Fix:
The PAM module in RiOS has been updated to a patched version to address the CVE.

Recommendation:
Upgrade to a patched version.
 247382 Fixed a problem in SteelHead SaaS backhauled deployment mode that could
cause a loss of connectivity on long-lived optimized SaaS connections. This issue can
happen if the SteelHead performing SteelHead SaaS redirection of optimized SaaS
connections has a high number of pass-through connections going through it. Under
such load the SteelHead might stop performing SteelHead SaaS UDP redirection of the
connection, leading to a loss of connectivity for those flows.
 247443 Fixed Datakeg error and warning messages related to the SCA component.
These messages did not affect appliance functionality.

Example messages:
Nov 4 01:36:53 csh datakeg[6085]: [datakeg_lib.ERROR] Error running
/sbin/sca_datakeg.py acshs: No such executable /sbin/sca_datakeg.py
Nov 4 01:36:53 csh datakeg[6085]: [datakeg.WARNING] Problem with collecting metric
sca.acshs.
 247489 Fixed on issue where under certain specific scenarios, SteelHeads with a 1
Gigabit add on NICs might suffer higher-packet drop rates when using inbound QoS. This
fix provides better configuration support of inbound QoS to avoid such issues.
 247522 Fixed an issue where the optimization service crashed with Outlook Anywhere
enabled when a client did not have anymore connections to the Exchange Server or
during client connect. During the tracking of Outlook Anywhere connections associated
with a client and server pair, a table would, at times, become corrupted. This fix corrects
the way RiOS does comparisons on this table.
 247560 Corrected an issue where the web inactivity timeout was not being honored in
the web UI. After this correction, web UI sessions will get logged out after the amount
of time specified by the user in the "web inactivity timeout" setting. To work around this
issue, the CLI command "web session timeout" can be used to enforce a timeout period.

37
 247748 Fixed an issue where the optimization service could crash when both HTTP
optimization and Outlook-Anywhere auto-detection are both enabled, and certain types
of unexpected HTTP traffic is processed. The RPCH HTTP header parsing state machine
would into a state in which it was expecting headers but could not find any. This change
verifies that headers exist before trying to access them.
 247821 Fixed an issue where the CLI command "arp <ipaddr> <macaddr>" returned the
error "% The interface <ipaddress> does not exist." Instead, use the command
"interface <interface> arp <ipaddr> <macaddr>" to configure static arp entries.
 248345 Fixed an issue where the optimization service crashes by adding logic to
correctly identify freed memory in the store.
 248606 OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-3193,
CVE-2015-3194, CVE-2015-3195. These are moderate vulnerabilities described in
https://www.openssl.org/news/secadv/20151203.txt.

Details:
OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-3193, CVE-2015-
3194, CVE-2015-3195. These are moderate vulnerabilities described in
https://www.openssl.org/news/secadv/20151203.txt.

Fix:
Upgraded OpenSSL to 1.0.2e or 1.0.1q to fix CVE-2015-3193, CVE-2015-3194, CVE-2015-
3195.

Recommendations:
Upgrade to a software version with this fix.
 248633 Fixed an issue that caused reverting to RiOS 9.0.1 or later to fail. This occurred
when an appliance's configuration database of a given name was deleted, and then later
another configuration of the same name was added. For some databases, only the
database for the current RiOS was deleted, while with others, all databases including
backed up versions for previous RiOS versions were deleted. On revert, those databases
where all previous versions were deleted could not properly revert, causing the image
revert to fail.
 248683 Fixed an issue in parsing HTTP packets within the SteelFlow WTL blade so that it
does not keep buffering data after encountering a NULL byte. This issue may be
accompanied by logs similar to "[pm.ERR]: Output from sport:
src/central_freelist.cc:480] tcmalloc: allocation failed 24576 ( 6 pages) for sizeclass 57
upto 4352". Issue may also result in Admission Control alerts and optimization service
process crashes.
 248790 Fixed an issue where the SteelHead 'config-save needed' flag may light up on
the SteelCentral Controller for SteelHead every 24 hours when it receives an update
from the Riverbed Cloud Portal and the SteelHead has the SteelHead SaaS/Cloud
Accelerator feature and GeoDNS optimization enabled.

38
 248870 Fixed an issue where /config became full after thousands of logins to the web UI
and CLI occurred. This caused a flash_error alarm to be raised and errors in the syslog,
indicating many system services were unable to start.
 249088 Fixed an issue where the CLI command "interface [interface] dhcp renew" does
not execute when DHCP is disabled. In addition the system did not inform the user. The
behavior was changed to print an error message if this command is executed while
DHCP is disabled.
 249243 Fixed an issue so that users can now select parent classes when viewing traffic
reports for QoS.
 249269 CVE-2015-8000: bind denial of service by remote attacker via a malformed class
attribute.

Details:
CVE-2015-8000: A remote attacker can cause a denial of service in BIND via a malformed
class attribute. This impacts the SteelHead DNS cache feature. However, this feature is
disabled by default.

Fix:
Upgraded BIND named for the DNS cache feature to 9.9.8-P2 to fix CVE-2015-8000.

Recommendation:
Upgrade to a software version with this fix.
 249289 Fixed an issue to make sure that RiOS does not crash during shutdown when an
active splice requests domain information and the domain-auth config global has
already been destroyed.
 249472 Fixed an issue where the help documentation pages in the Management
Console could report a clickjack vulnerability during a Nessus scan of the appliance, even
though there was no risk to the Management Console. Added some HTTP headers which
prevent the clickjack vulnerability according to Nessus to all pages including help
documentation, instead of just the interactive pages.
 249764 Fixed an issue where self-signed SSL certificates were using RSA-SHA1 instead of
RSA-SHA512 with a key size of 2048 bits or higher. Support for SHA1 certificates is being
deprecated by web browsers, which eventually leads to them not accepting RSA-SHA1
certificates.
 249863 Fixed an issue where user identity might be reassigned by SharePoint
optimization. Found that "Set-Cookie" headers were being saved and redistributed by
the SharePoint blade. These cookies may consist of user authentication credentials and
might cause a client to assume the identity of a prior user. This has been corrected so
credentials are not cached.
 249939 Fixed an issue where a configuration policy push from an SCC to a SteelHead
containing a large number of host or port labels, caused the entire push to fail.

39
 250228 Fixed an issue where an authentication request to the ACS server failed if the
authentication policy required a remote IP address along with the username and
password.
 250249 CVE-2016-0777: An information leak (memory disclosure) in OpenSSH client
related to the roaming connection feature.

Details:
CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue
SSH server to trick a client into leaking sensitive data from the client memory, such as
private keys.
CVE-2016-0778: A buffer overflow (leading to file descriptor leak), can also be exploited
by a rogue SSH server, but due to another bug in the code is possibly not exploitable,
and only under certain conditions (not the default configuration), when using
ProxyCommand, ForwardAgent, or ForwardX11.
Note: CVE-2016-0778 does not apply to Riverbed appliances, because the specified
configuration options are not used. Both vulnerabilities apply only to client use, not
server use.

Fix:
We have upgraded OpenSSH to 7.1p2 to fix the above vulnerabilities.

Recommendation:
Upgrade to a version with this fix. Otherwise, avoid using the "ssh slogin" command to
log in to untrusted servers.
 250484 Fixed an issue wherein clicking a connection type on the Current Connections
page of the Management Console would behave incorrectly on appliances not licensed
for Space Communications Protocol Specifications (SCPS) protocol.
 250562 Disabled a potential vulnerability where a user could visit a specific URL path in
the appliance's web user interface, and see some technical details about the web server
environment.
 250611 CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c.

Details:
When the caching DNS server is enabled, it is vulnerable to a denial of service attack. A
remote authenticated attacker can cause the DNS server to exit by sending a malformed
Address Prefix List (APL) record.
CVE-2015-8705 is not applicable, as this applies to BIND 9.10.x, and the version currently
used on appliances is 9.9.x.

Fix:
BIND named has been upgraded to 9.9.8-P3.

Recommendation:
Upgrade to patched version if applicable.

40
 250951 CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979: NTP security update.

Details:
NTP server before 4.2.8p6 has the following security vulnerabilities:
CVE-2015-8158: Potential Infinite Loop in ntpq
CVE-2015-8138: origin: Zero Origin Timestamp Bypass
CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast
mode
CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
CVE-2015-7977: reslist NULL pointer dereference
CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
CVE-2015-7975: nextvar() missing length check
CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between
authenticated peers
CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
Of these, CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979 are applicable. CVE-
2015-7973, and CVE-2015-7979, are only applicable when authenticated NTP is used.
More details of the CVEs can be found at
http://support.ntp.org/bin/view/Main/SecurityNotice

Fix:
We have upgraded the NTP server to 4.2.8p6 to fix these security vulnerabilities.

Recommendation:
Upgrade to a software version with the fix. If this is not possible, use multiple time
sources and avoid placing appliances on untrusted networks to minimize the
vulnerability to CVE-2015-8138.
 251033 Fixed an issue where accented or other special characters in Application names
or descriptions caused the Current Connections page to stop loading and display "Error
Building Table".
 251297 CVE-2016-0701: OpenSSL 1.0.2 through 1.0.2e is vulnerable to DH small
subgroups

Details:
OpenSSL 1.0.2 through 1.0.2e has vulnerability CVE-2016-0701, which is described at
https://www.openssl.org/news/secadv/20160128.txt
This vulnerability does not impact Riverbed appliances as no releases include the
vulnerable version of the OpenSSL 1.0.2 library.

Fix:
Upgraded OpenSSL to 1.0.2f to fix CVE-2016-0701 and CVE-2015-3197.

Recommendation:
No action required.

41
 251649 Fixed a problem that could lead to a crash if the SteelHead SaaS/Cloud
Accelerator and GeoDNS features are enabled under a high volume of GeoDNS
optimized SaaS Office 365 connections.
 251951 Fixed an issue so that certificates and signing requests generated on SteelHead
have been upgraded to use SHA-2 signature algorithm. Self-signed SSL certificates now
use RSA-SHA512 instead of RSA-SHA1 and must be at least 2048 bits. When SSL
certificates are displayed in the web or command-line interface, the SHA256 and SHA1
fingerprints are displayed.
 252258 Fixed an issue so that HTTP to HTTPS redirection always uses the same host
name in the HTTPS URL as given in the HTTP URL. Previously, HTTP to HTTPS redirection
used the short hostname in the HTTPS URL, regardless of whether the hostname in the
HTTP URL was a fully qualified domain name or an IP address. In some DNS
configurations, this resulted in the redirection failing.
 252446 CVE-2015-7547: buffer overflow in glibc getaddrinfo call for DNS lookups.

Details:
The GNU C library (glibc) had these vulnerabilities:
CVE-2015-7547: a buffer overflow in client DNS lookups (getaddrinfo) that might allow
malicious client connections from networks with malicious DNS servers to cause crashes
or other harmful effects in server software to which these clients connect. This might
affect servers (for example, SSH) that do DNS lookups on clients connecting to them.
Malicious client connections from networks with malicious DNS servers can create the
overflow conditions.
CVE-2015-5229: the calloc() function might return a pointer to memory that is not filled
with zero bytes.

Fix:
We have upgraded glibc to a version that fixes CVE-2015-7547 and CVE-2015-5229.

Recommendation:
Upgrade the software to a version with this fix. If this is not possible, avoid placing
appliances on networks exposed to untrusted DNS clients.
 252525 Fixed locking for the RPC_IN_DATA and RPC_OUT_DATA virtual connection
registry to prevent a condition that would lead RiOS to crash with Outlook Anywhere
enabled.
 253062 Fixed a problem where log errors such as "[mgmtd.ERR]:
lrs_get_csr_property_str(), rbtssl.c:3879, build (null): Unexpected NULL" were seen
when viewing the Secure Peering (SSL) web page.

42
 253260 OpenSSL 1.0.2g/1.0.1s security update including CVE-2016-0800 SSL/TLS: Cross-
protocol attack on TLS using SSLv2 (DROWN)

Details:
A cross-protocol attack was discovered that could lead to decryption of TLS sessions by
using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
padding oracle. Note that traffic between clients and non-vulnerable servers can be
decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-
vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). This update
also includes patches for these lower priority CVEs: CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0798, and CVE-2016-0798.
For more details, see: https://www.openssl.org/news/secadv/20160301.txt and
https://www.openssl.org/news/vulnerabilities.html#y2016.
Note: SSLv2 is disabled on the appliances in the SteelHead and SteelFusion product line.
This vulnerability is not applicable. This includes the web interface and the optimization
service on the SteelHead appliance.

Fix:
OpenSSL upgraded to 1.0.2g or 1.0.1s where applicable. Note that the fix for CVE-2016-
0800 disables SSLv2 and "EXPORT" and "LOW" strength ciphers. See
https://www.openssl.org/news/secadv/20160301.txt.

Recommendation:
Upgrade the software to a version with this fix.
 253547 Fixed a software issue that caused model upgrades to fail. This fix fully restores
the model upgrade functionality.
 253563 Fixed an issue with client authentication where connections to a server might be
put into bypass mode when TLSv1.2 support is enabled, but server negotiates TLSv1 or
SSLv3. A code change was made to explicitly assure that for client authentication the
SteelHead must negotiate the same protocol version as the client and server.
 253661 Fixed an issue to prevent corrupting the server-side optimization service data
store page when SMB2 connection blacklisting is done. This fix applies only to when the
client negotiates SMB3.11 dialect.
 254168 Fixed an issue where a bug in RiOS version 9.1.2 caused high CPU usage by the
QoS process when using deep packet inspection for TLS traffic. This patch resolves this
issue.
 254783 Fixed an issue to handle parsing of invalid HTTP chunked payload data with
missing expected newline chars (CRLF). Fix puts the connection in bypass state instead.

43
  254970 CVE-2016-0787: libssh2 vulnerability which could cause less secure keys to be
generated for encrypted traffic.

Details:
libssh2 has CVE-2016-0787, which could cause less secure keys to be generated for
encrypted traffic.

Fix:
We have upgraded libssh2 to fix CVE-2016-0787.

Recommendation:
Upgrade the software to a version with this fix.
 255623 Fixed an issue where the HTTPS channel between the SteelCentral Controller
(SCC) and SteelHead (SH) does not establish. REST feature policy pushes such as hybrid
network, appstats, and web proxy will fail. The SCC appliance pages will show
SteelHeads as Disconnected/No HTTPS connections. The fix helps set up the HTTPS
channel between the SH and SCC and REST feature policy pushes will work correctly.
 257487 Fixed an issue in the SSL client authentication code to correct a missing SSLv3
initialization that was modified in the most recent OpenSSL upgrade. To work around
this problem, update to a RiOS version with the fix or disable SSL client authentication if
it is not necessary.

4) KNOWN ISSUES
 165137 SteelHead peer-version string might be displayed incorrectly in the Current
Connections page No known workaround.

44
 198015 SteelHeads cannot be managed by the SteelCentral Controller for SteelHead
when requisite management channels are not established "SCC versions 9.0.0 and above
require two channels to the appliance - an SSH channel and an HTTPS channel. The
status of these channels can be viewed on the SteelHead terminal with the command:
show scc a sample output of this command is shown below:
amnesiac > show scc
Auto-registration: Enabled
HTTPS connection (to the CMC):
Status: Connected
Hostname: bravo-sh378
SSH connection (from the CMC):
Status: Connected
Hostname: bravo-sh378 (10.5.39.87)
When the host for the HTTPs and SSH connection are different or both the channels do
not have "Connected" status, the appliance cannot be fully managed by the SCC. In
order to connect a SteelHead to the SCC, you can use the command:
scc hostname <hostname> in configure mode to establish the connections. If both
connections show "Connected" to two different SCC's, please remove the appliance
from the Manage -> Appliances page on the SCC which is incorrect and update the
appliance username and password on the correct SCC. If the SCC hostname was never
configured on the appliance, the appliance will try to connect to the host riverbedcmc.
Please make sure to update your DNS to point the hostname riverbedcmc to the correct
SCC which is managing the appliance.
 204196 Switching configuration files while the system collects a sysdump for a process
crash fails Ensure that the system is in a stable state, and not collection sysdumps
before attempting to switch configuration files.
 218352 Class names can change during migration Reselect the desired classes using
their post-migration names.
 225148 Importing a configuration fails if user password contains an "at" sign (@) Avoid
using the at-sign (@) in passwords.
 229980 Web Proxy ignores transparency options on the applicable in-path rule No
workaround is available. You should be aware that transparency options do not apply to
traffic optimized by Web Proxy.
 238175 For connections optimized by Web Proxy the Current Connections report always
shows "W" for Connection Type Open the connection detail, which shows the correct
icon.
 238497 Menu commands are hidden, not disabled, for monitor users No workaround.
 238599 Current Connections report incorrectly shows that path selection occurs when
the SteelHead is in an Interceptor cluster the report will show correct information once
channels are configured but will continue to show erroneous Path Selection information
as long as they are not.

45
 239385 MAPI transparent prepopulation max connection value resets to the default
value upon upgrade after upgrading, reconfigure to the desired value.
 247441 Pages display a "Page Load Error" intermittently during a policy push from the
SCC The situation will clear itself once the push is complete.
 247807 Connection pooling when used with traffic-aware probing backoff (path
selection) can lead to suboptimal results Disable connection pooling if using traffic
aware backoff feature.
 248582 Replaced SteelHead through RMA requires manual reconnection to SCC
SteelHead needs to be reconnected from SCC with new serial number.
 253384 Current Connections report may not display detailed information for some
connections optimized by Web Proxy a workaround isn't currently known, but most
information on a Web Proxy connection is already in the table row.
 253415 When performing fetch operations for the SteelFusion Edge appliance from SCC,
an "UNKNOWN_COMP.ERR" error might be displayed No workarounds exist. When
performing fetch operations for the SteelFusion Edge appliance from the SteelCentral
Controller (SCC), an "UNKNOWN_COMP.ERR" error might be displayed. You can ignore
this error; the fetch operation is still successful even though this error is displayed.
 253725 TCP Dump snap-length setting of 0 does not result in the expected 64 KB. In the
SteelHead Management Console when you start a TCP Dump with the snap-length set to
0, this results in a 16 KB snap-length instead of the expected 64 KB. To obtain a 64 KB
snap-length, enter 65535 in the Custom field for snap-length.
 254093 When making configuration changes, the system log might include an error
message such as [pm.ERR]: Output from yarder_rbt: IOError: unexpected end of file
while reading request at position x. No workarounds exist. This does not have any
impact on functionality.
 254279 SCC push failure can result in a service restart message on SteelHead Disregard
the service restart request.
 254625 Filtering large numbers of connections on the Current Connections page causes
error messages such as "Broken Pipe" or "Failed to flush CGI output to client". No
workarounds exist.
 255099 Time exceeded message displays when REST process starts up No workaround
exists. These are INFO-level logging messages and can be ignored. This can happen on
low-end boxes/virtual boxes and when the device is under CPU load.
 258171 Entering commands immediately after the appliance has booted results in "No
route to service" errors. These errors indicate that a service isn't yet ready to respond.
The command should be able to be run successfully after a few seconds.

46
  258439 First hybrid networking push after upgrading from the SteelCentral Controller
(SCC) 9.0 to 9.2 can be disruptive to existing path selection connections
Install 9.2 but do not reboot.
Push CLI config from SCC with these options:
Disable PS
Disable QoS
write mem
reboot into 9.2

Cli Commands for the same:

no qos outbound shaping enable
no qos inbound shaping enable
no qos dscp-marking en
 258440 First hybrid networking push after upgrading from the SteelCentral Controller
(SCC) 9.0 to 9.2 can be disruptive to existing path selection connections
Install 9.2 but do not reboot.
Push CLI config from SCC with these options
Disable PS
Disable QoS
write mem
reboot into 9.2

Cli Commands for the same:

no qos outbound shaping enable
no qos inbound shaping enable
no qos dscp-marking en

5) UPGRADING THE RIOS SOFTWARE VERSION

UPGRADING ALERT
 9.2.0 Upgrade, Path Selection and QoS: Operators must disable path selection and QoS
in SteelHead 9.0.x or SteelHead 9.1.x prior to rebooting into SteelHead 9.2.0, which uses
new path identifiers. Please refer to Knowledge Base article S28250 for detailed
instructructions. Failure to follow this process can block pre-existing connections and
render the SteelHead unreachable after the first SCC 9.2.0 Path Selection policy push.
 Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to 9.0.0
and later, existing path selection rules are not automatically migrated. Please refer to
Knowledge Base article S25533 for details.
 QoS: RiOS version 9.0.0 and later uses a completely new QoS management and syntax
compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base article
S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading

47
 the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual
SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud
Services User's Guide

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC)

COMPATIBILITY
If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances, you must
upgrade SCC to a specific version before you upgrade your appliances to this software
version. Failure to do so will prevent communication between SCC and your appliances. See
Knowledge Base Article S27759 for complete details.

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX
Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES

Review the SteelHead CX Installation and Configuration Guide for information on hardware
and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead CX Installation
Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

8) CONTACTING RIVERBED SUPPORT

Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.
Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415 247 7381.
Online
You can also submit a support case online
Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.

©2017 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

48