REL-251 Patch Release Notes

for DNS/DHCP Server v9.3.1

CONFIDENTIAL - For customer's internal use only.

This document may not be reproduced or distributed without the written consent of BlueCat.

© 2022 BlueCat Networks (USA) Inc. and its affiliates.

 Contents

Contents

REL-251 Patch Release Notes....................................................................3

Reasons for release............................................................................................................................ 3
Description of issue.............................................................................................................................3
Affected software versions.................................................................................................................. 3
Effects on service................................................................................................................................3
Rollback support..................................................................................................................................4
Location of patch.................................................................................................................................4
Applying the patch to DNS/DHCP Servers.........................................................................................4
Rolling back the patch........................................................................................................................ 4
Release Support Policy....................................................................................................................... 5

Terms and Conditions.................................................................................6

ii | CONFIDENTIAL
 REL-251 Patch Release Notes

REL-251 Patch Release Notes

Patch for CVE-2021-43527 on DNS/DHCP Server v9.3.1.

Reasons for release

Announcement Date: December 8, 2021
Severity: Critical
Exploitable: Remotely
This patch addresses the security vulnerability described in CVE-2021-43527 affecting DNS/DHCP Server
v9.3.1. After applying this patch, the Libnss (Libnss3) version will be upgraded to 3.42.1-1+deb10u4, which
addresses this vulnerability.

Description of issue

CVE-2021-43527: Under some circumstances, some NSS (Network Security Services) versions prior
to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow.
A vulnerability in some Libnss (Libnss3) versions prior to 3.73 or 3.68.1 ESR can make it vulnerable to
a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. This can impact BlueCat
applications that use NSS for certificate and security validation.

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or
modification of data, or Denial of Service (DoS).
Note: For more information, refer to article KI-025003 on BlueCat Customer Care.

Affected software versions

This vulnerability affects the following versions of DNS/DHCP Server software:
• DNS/DHCP Server v9.3.0, DNS/DHCP Server v9.3.1
• DNS/DHCP Server v9.2.0, DNS/DHCP Server v9.2.1
• DNS/DHCP Server v9.1.0, DNS/DHCP Server v9.1.1
Note: Patches for this issue can be applied on DNS/DHCP Server v9.x.1 versions only.
Customers on version v9.x.0 must first upgrade to DNS/DHCP Server v9.x.1 before applying this
patch.

Effects on service
DNS and DHCP services are not affected by installation of this patch.
Attention: BlueCat advises customers to apply this patch during a controlled or planned
outage. Customers should schedule a maintenance window during non-peak times in order to
minimize the effects of this interruption.

CONFIDENTIAL | 3
REL-251 Patch Release Notes for DNS/DHCP Server v9.3.1

Rollback support
This patch supports rollback. For details, refer to Rolling back the patch on page 4.

Location of patch
Customers can obtain this patch from article 17915 on BlueCat Customer Care (login required).
• bdds_9.3.1-002_REL-251_x86_64.zip—installation file. This zip contains the following artifacts:
• bdds_9.3.1-002-251_x86_64.tar—tarball file.
• bdds_9.3.1-002_REL-251_x86_64.key—associated public key file.
• bdds_9.3.1-002_REL-251_x86_64.run.zip—runzip file. This zip file contains the following artifacts:
• bdds_9.3.1-002_REL-251_x86_64.run—run file.
Attention: This patch can be applied on DNS/DHCP Server v9.3.1 only.

Applying the patch to DNS/DHCP Servers

Download the patch from BlueCat and apply to managed DNS/DHCP Servers and xHA pairs using the
Address Manager user interface.
1. Download the installation file from BlueCat Customer Care and extract the tarball file and its
associated public key file.
2. Log in to Address Manager as an administrator and select the Administration tab.
3. Under General, click BlueCat DNS/DHCP Server Patches.
4. Under Upload a BlueCat DNS/DHCP Server Patch, click Choose File to locate the tarball file and its
associated public key file.
5. Click Add File. Once the upload is complete you will see the tarball file appear under Available
BlueCat DNS/DHCP Server Patch files.
6. Select the Servers tab and select the check boxes for one or more DNS/DHCP Servers.
7. Click Action, then select Apply Patch. The Confirm Server Patch page opens.
8. Under Confirm Server Patch, verify the servers you will update.
9. Under Available Patches, select the tarball from the drop-down menu.
10.Click Yes. Allow for several minutes for Address Manager to apply the patch to the selected servers.
11.Under Patch Results, click OK.
Address Manager returns you to the Servers tab.

Rolling back the patch

Revert the changes to DNS/DHCP Servers introduced by this patch.
Note: If you deleted the compressed installation file after applying this patch, start from step 1. If
the files are still on your system, proceed to step 3.
1. Download the installation file from BlueCat Customer Care and extract the runzip file.
2. Copy the runzip file to the /tmp directory of your DNS/DHCP Server. If using a UNIX/Linux system, this
can be performed with scp <runzip file> root@<dns/dhcpserverIP>:/tmp.

4 | CONFIDENTIAL
 REL-251 Patch Release Notes

3. Log in using SSH and the root account.

Note: If you are STIG compliant, you must log in as bluecat and use the su - command to
gain access to the root shell.
4. Change to the /tmp directory, then type the following commands:

unzip <runzip file>

chmod +x <run file>
./<run file> rollback

5. At the prompt, type yes and press ENTER to confirm rollback.

Release Support Policy

BlueCat is continuously developing enhancements and new functionality for its software solutions. As a
result, BlueCat regularly releases major and minor updates that incorporate all of the latest changes to its
products. As long as the customer's BlueCat products are under an active Maintenance Services contract
with BlueCat Customer Care, the customer will be entitled to receive and download these releases.

Testing and applying recommended software updates

It is the responsibility of the customer to apply software patches as necessary in order to maintain
the stability and security of their IP environments. BlueCat strongly recommends a stand-alone lab
environment for testing in order to minimize the risk to a production operation. Within the test environment,
you can check resolutions, updates and upgrades to isolate a specific problem, confirm a fix, or test an
update.
Note: For more information on release support policy and change management, contact BlueCat
Customer Care at https://care.bluecatnetworks.com.

CONFIDENTIAL | 5
REL-251 Patch Release Notes for DNS/DHCP Server v9.3.1

Terms and Conditions

READ THIS BEFORE INSTALLING OR USING BLUECAT PRODUCTS, SERVICES, AND
DOCUMENTATION
The material herein is subject to the applicable BlueCat License Agreement previously entered into
between BlueCat and your company, or if none, then to BlueCat’s standard terms and conditions which
you can view and download from https://bluecatnetworks.com/license-agreements/. BlueCat reserves the
right to revise this material at any time without notice.
Company names and/or data used in screens and sample output are fictitious, unless otherwise stated.

Copyright
©2001—2022 BlueCat Networks (USA) Inc. and its affiliates (collectively ‘BlueCat’). All rights reserved.
This document contains BlueCat confidential and proprietary information and is intended only for the
person(s) to whom it is transmitted. Any reproduction of this document, in whole or in part, without the prior
written consent of BlueCat is prohibited.

Trademarks
Proteus, Adonis, BlueCat DNS/DHCP Server, BlueCat Address Manager, BlueCat DNS Edge, BlueCat
Device Registration Portal, BlueCat DNS Integrity, BlueCat Gateway, BlueCat Mobile Security, BlueCat
Address Manager for Windows Server, and BlueCat Threat Protection are trademarks of BlueCat.
iDRAC is a registered trademark of Dell Inc. Windows is a registered trademark of Microsoft Corporation.
UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds.
QRadar is a registered trademark of IBM. ArcSight is a registered trademark of Hewlett Packard. Ubuntu is
a registered trademark of Canonical Ltd. CentOS is a trademark of the CentOS Project. All other product
and company names are registered trademarks or trademarks of their respective holders.

6 | CONFIDENTIAL
BlueCat Networks (USA) Inc. and its affiliates.
www.bluecatnetworks.com
Toll Free: 1.866.895.6931
Document #: 3347
Published in Canada
Date: January 2022