REL-251 Patch Release Notes

for Address Manager v9.3.1

CONFIDENTIAL - For customer's internal use only.

This document may not be reproduced or distributed without the written consent of BlueCat.

© 2022 BlueCat Networks (USA) Inc. and its affiliates.

 Contents

Contents

REL-251 Patch Release Notes....................................................................3

Reasons for release............................................................................................................................ 3
Description of issue.............................................................................................................................3
Affected software versions.................................................................................................................. 3
Effects on service................................................................................................................................3
Rollback support..................................................................................................................................4
Location of patch.................................................................................................................................4
Applying the patch to Address Manager.............................................................................................4
Rolling back the patch........................................................................................................................ 4
Release Support Policy....................................................................................................................... 5

Terms and Conditions.................................................................................6

ii | CONFIDENTIAL
 REL-251 Patch Release Notes

REL-251 Patch Release Notes

Patch for CVE-2021-43527 on Address Manager v9.3.1.

Reasons for release

Announcement Date: December 8, 2021
Severity: Critical
Exploitable: Remotely
This patch addresses the security vulnerability described in CVE-2021-43527 affecting Address Manager
v9.3.1. After applying this patch, the Libnss (Libnss3) version will be upgraded to 3.42.1-1+deb10u4, which
addresses this vulnerability.

Description of issue

CVE-2021-43527: Under some circumstances, some NSS (Network Security Services) versions prior
to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow.
A vulnerability in some Libnss (Libnss3) versions prior to 3.73 or 3.68.1 ESR can make it vulnerable to
a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. This can impact BlueCat
applications that use NSS for certificate and security validation.

Impact
Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or
modification of data, or Denial of Service (DoS).
Note: For more information, refer to article KI-025003 on BlueCat Customer Care.

Affected software versions

This vulnerability affects the following versions of Address Manager:
• Address Manager v9.3.0, Address Manager v9.3.1
• Address Manager v9.2.0, Address Manager v9.2.1
• Address Manager v9.1.0, Address Manager v9.1.1
Note: Patches for this issue can be applied on Address Manager v9.x.1 versions only.
Customers on version v9.x.0 must first upgrade to Address Manager v9.x.1 before applying this
patch.

Effects on service
Applying this patch will restart the Address Manager user interface.
Attention: BlueCat advises customers to apply this patch during a controlled or planned
outage. Customers should schedule a maintenance window during non-peak times in order to
minimize the effects of this interruption.

CONFIDENTIAL | 3
REL-251 Patch Release Notes for Address Manager v9.3.1

Rollback support
This patch supports rollback. For details, refer to Rolling back the patch on page 4.

Location of patch
Customers can obtain this patch from article 17915 on BlueCat Customer Care (login required).
• bam_9.3.1-005_REL-251_x86_64.zip—installation file. This zip contains the following artifacts:
• bam_9.3.1-005_REL-251_x86_64.tar.gz—tarball file.
• bam_9.3.1-005_REL-251_x86_64.key—associated public key file.
• bam_9.3.1-005_REL-251_x86_64.run.zip—runzip file. This zip file contains the following artifacts:
• bam_9.3.1-005_REL-251_x86_64.run—run file.
Attention: This patch can be applied on Address Manager v9.3.1 only.

Applying the patch to Address Manager

Download the patch from BlueCat and apply via the Address Manager user interface.
Attention:
When configuring new replications between Address Manager servers, servers must be running
both the same software version and patch. Customers currently running Address Manager in
replication should apply the patch only to the Primary server. All replicated servers will be patched
automatically.
If a standby server becomes inaccessible during application of the patch, you might need to apply
the patch directly from the command line interface (CLI) when it becomes accessible again. Please
contact BlueCat Customer Care if any issues arise while applying the patch to servers in replication.
1. Download the installation file from BlueCat Customer Care and extract the tarball file and its
associated public key file.
2. Log in to the Address Manager user interface as an administrator.
3. Select the Administration tab.
4. Under General, click Version Management.
5. Click Software Update.
6. Beside the Upload an Address Manager update field, click Choose File and select the tarball file
then click Open. The path and filename for the selected file appear in the text field.
7. Beside the BCN Public Key Security File field, click Choose File and select the associated public
key file then click Open. The path and filename for the selected file appear in the text field.
8. Click Submit. Address Manager uploads the selected file. Once the upload completes, the Update
Confirmation page opens.
9. Click Yes.

Rolling back the patch

Revert the changes to Address Manager introduced by this patch.
Note: If you deleted the compressed installation file after applying this patch, start from step 1. If
the files are still on your system, proceed to step 3.

4 | CONFIDENTIAL
 REL-251 Patch Release Notes

1. Download the patch zip file from BlueCat Customer Care and extract the runzip file.
2. Copy the runzip file to the /tmp directory of your Address Manager. If using a UNIX/Linux system, this
can be performed with scp <runzip file> root@<addressmanagerIP>:/tmp.
3. Log in using SSH and the root account.
Note: If you are STIG compliant, you must log in as bluecat and use the su - command to
gain access to the root shell.
4. Change to the /tmp directory, then type the following commands:

unzip <runzip file>

chmod +x <run file>
./<run file> rollback

5. At the prompt, type yes and press ENTER to confirm rollback.

Release Support Policy

BlueCat is continuously developing enhancements and new functionality for its software solutions. As a
result, BlueCat regularly releases major and minor updates that incorporate all of the latest changes to its
products. As long as the customer's BlueCat products are under an active Maintenance Services contract
with BlueCat Customer Care, the customer will be entitled to receive and download these releases.

Testing and applying recommended software updates

It is the responsibility of the customer to apply software patches as necessary in order to maintain
the stability and security of their IP environments. BlueCat strongly recommends a stand-alone lab
environment for testing in order to minimize the risk to a production operation. Within the test environment,
you can check resolutions, updates and upgrades to isolate a specific problem, confirm a fix, or test an
update.
Note: For more information on release support policy and change management, contact BlueCat
Customer Care at https://care.bluecatnetworks.com.

CONFIDENTIAL | 5
REL-251 Patch Release Notes for Address Manager v9.3.1

Terms and Conditions

READ THIS BEFORE INSTALLING OR USING BLUECAT PRODUCTS, SERVICES, AND
DOCUMENTATION
The material herein is subject to the applicable BlueCat License Agreement previously entered into
between BlueCat and your company, or if none, then to BlueCat’s standard terms and conditions which
you can view and download from https://bluecatnetworks.com/license-agreements/. BlueCat reserves the
right to revise this material at any time without notice.
Company names and/or data used in screens and sample output are fictitious, unless otherwise stated.

Copyright
©2001—2022 BlueCat Networks (USA) Inc. and its affiliates (collectively ‘BlueCat’). All rights reserved.
This document contains BlueCat confidential and proprietary information and is intended only for the
person(s) to whom it is transmitted. Any reproduction of this document, in whole or in part, without the prior
written consent of BlueCat is prohibited.

Trademarks
Proteus, Adonis, BlueCat DNS/DHCP Server, BlueCat Address Manager, BlueCat DNS Edge, BlueCat
Device Registration Portal, BlueCat DNS Integrity, BlueCat Gateway, BlueCat Mobile Security, BlueCat
Address Manager for Windows Server, and BlueCat Threat Protection are trademarks of BlueCat.
iDRAC is a registered trademark of Dell Inc. Windows is a registered trademark of Microsoft Corporation.
UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds.
QRadar is a registered trademark of IBM. ArcSight is a registered trademark of Hewlett Packard. Ubuntu is
a registered trademark of Canonical Ltd. CentOS is a trademark of the CentOS Project. All other product
and company names are registered trademarks or trademarks of their respective holders.

6 | CONFIDENTIAL
BlueCat Networks (USA) Inc. and its affiliates.
www.bluecatnetworks.com
Toll Free: 1.866.895.6931
Document #: 3346
Published in Canada
Date: January 2022