Installing Software Maintenance Update for Spring4Shell Vulnerability

Installing Software Maintenance Update on Cisco DCNM OVA/ISO Deployment

This section provides instructions to install Software Maintenance Update (SMU) on OVA/ISO deployments in Cisco DCNM Release 11.5(4) to address CVE-2022-22965 issue.

This section contains the following topics:

Installing SMU on DCNM Standalone Deployment

This section provides instructions to install Software Maintenance Update (SMU) on OVA/ISO deployments in Cisco DCNM Release 11.5(4) to address CVE-2022-22965 issue.

To apply the Software Maintenance Update (SMU) on Cisco DCNM OVA/ISO in Standalone deployment mode, perform the following steps:

Before you begin

  • Take a backup of the application data using the appmgr backup command on the DCNM appliance. 

    dcnm# appmgr backup

    Copy the backup file to a safe location outside the DCNM server.

  • If Cisco DCNM appliance is installed in VMware environment, ensure that you take VM snapshots for all nodes. For instructions, refer to VMware Snapshot Support section in your Cisco DCNM Release Notes.

  • Ensure that you plan for a maintenance window to install SMU.

  • Ensure that Cisco DCNM 11.5(4) is up and running.


    Note

    Only a root user can install the SMU on the Cisco DCNM Release 11.5(4) appliance

Procedure

Step 1

Download the SMU file.

  1. Go to the following site: https://software.cisco.com/download/.

    A list of the latest release software for Cisco DCNM available for download is displayed.

  2. In the Latest Releases list, choose Release 11.5(4).

  3. Locate DCNM 11.5(4) Maintenance Update for VMWare, KVM, Bare-metal, and Appliance servers to address CVE-2022-22965 and click Download icon.

  4. Save the dcnm-va-patch.11.5.4-p1.iso file to your directory that is easy to find when you start to apply the maintenance update (patch).

Step 2

Unzip the dcnm-va-patch.11.5.4-p1.iso file and upload the file to the /root/ folder in the DCNM node.

Step 3

Log on to the Cisco DCNM appliance using SSH as a sysadmin user.

Run the su command to enable root user. 

dcnm# su
Enter the root password: 
[root@dcnm]#
Step 4

Run the following command to create a screen session.

[root@dcnm]# screen

This creates a session which allows you to execute the commands. The commands continue to run even when the window is not visible or if you get disconnected.

Step 5

Create a folder named iso using the mkdir /mnt/iso command. 

[root@dcnm1]# mkdir -p /mnt/iso
Step 6

Mount the DCNM 11.5(4) SMU file in the /mnt/iso folder. 

[root@dcnm]# mount -o loop dcnm-va-patch.11.5.4-p1.iso /mnt/iso
Step 7

Navigate to /scripts/ directory. 

[root@dcnm]# cd /mnt/iso/packaged-files/scripts/
Step 8

Run the ./inline-upgrade.sh script. 

[root@dcnm]# ./inline-upgrade.sh

The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears.

Note 

After the SMU is installed successfully, the DCNM process restarts. This results in a momentary loss of access to the DCNM Web UI.

Step 9

Ensure the DCNM application is functional, by using the appmgr status all command. 

[root@dcnm]# appmgr status all
Step 10

Terminate the screen session, by using the exit command.

[root@dcnm]# exit
Step 11

Unmount the dcnm-va-patch.11.5.4-p1.iso file from the DCNM setup.

Note 

You must terminate the screen session before unmounting the SMU file. 

[root@dcnm]# umount /mnt/iso

Installing SMU on DCNM Native HA Deployment

This section provides instructions to install Software Maintenance Update (SMU) on OVA/ISO deployments in Cisco DCNM Release 11.5(4) to address CVE-2022-22965 issue.

To apply the Software Maintenance Update (SMU) on Cisco DCNM OVA/ISO in Native HA deployment mode, perform the following steps:

Before you begin

  • Check and ensure that the Active and Standby servers are operational, using the appmgr show ha-role command.

    Example:

    On the Active node:
    dcnm1# appmgr show ha-role
Native HA enabled.
Deployed role: Active
Current role: Active
    On the Standby node:
    dcnm2# appmgr show ha-role
Native HA enabled.
Deployed role: Standby
Current role: Standby

  • Take a backup of the application data using the appmgr backup command on both Active and Standby appliances. 

    dcnm1# appmgr backup
    dcnm2# appmgr backup

    Copy the backup file to a safe location outside the DCNM server.

  • If Cisco DCNM appliance is installed in VMware environment, ensure that you take VM snapshots for all nodes. For instructions, refer to VMware Snapshot Support section in your Cisco DCNM Release Notes.

  • Ensure that you plan for a maintenance window to install SMU.

  • Ensure that both the Cisco DCNM 11.5(4) Active and Standby peers are up and running.

    To apply this software maintenance update on Cisco DCNM Virtual Appliance in Native HA Mode, apply this update on the Active and Standby appliance. Wait until the role of the Active appliance is Active again. Apply the update on the Standby appliance, later.

    For Native HA cluster deployments, install the SMU on Active and Standby appliances, before installing SMU on the compute nodes.


    Note

    Only a root user can install the SMU on the Cisco DCNM Release 11.5(4) appliance.

Procedure

Step 1

Download the SMU file.

  1. Go to the following site: https://software.cisco.com/download/.

    A list of the latest release software for Cisco DCNM available for download is displayed.

  2. In the Latest Releases list, choose Release 11.5(4).

  3. Locate DCNM 11.5(4) Maintenance Update for VMWare, KVM, Bare-metal, and Appliance servers to address CVE-2022-22965 and click Download icon.

  4. Save the dcnm-va-patch.11.5.4-p1.iso file to your directory that is easy to find when you start to apply the maintenance update (patch).

Step 2

Unzip the dcnm-va-patch.11.5.4-p1.iso file and upload the file to the /root/ folder in both Active and Standby node of the DCNM setup.

Note 
For example, let us indicate Active and Standby appliances as dcnm1 and dcnm2 respectively.
Step 3

Log on to the Cisco DCNM appliance using SSH as a sysadmin user.

Run the su command to enable root user. 

dcnm1# su
Enter the root password: 
[root@dcnm1]#
dcnm2# su
Enter the root password: 
[root@dcnm2]#
Step 4

Run the following command to create a screen session.

[root@dcnm1]# screen

[root@dcnm2]# screen

This creates a session which allows you to execute the commands. The commands continue to run even when the window is not visible or if you get disconnected.

Step 5

On the Active node, install the SMU.

  1. Create a folder named iso using the mkdir /mnt/iso command. 

    [root@dcnm1]# mkdir -p /mnt/iso

  2. Mount the DCNM 11.5(4) SMU file on the Active node in the /mnt/iso folder. 

    [root@dcnm1]# mount -o loop dcnm-va-patch.11.5.4-p1.iso /mnt/iso

  3. Navigate to /scripts/ directory. 

    [root@dcnm1]# cd /mnt/iso/packaged-files/scripts/

  4. Run the ./inline-upgrade.sh script. 

    [root@dcnm1]# ./inline-upgrade.sh

    The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears.

    Note 

    After the SMU is installed successfully, the DCNM process restarts. This results in a momentary loss of access to the DCNM Web UI.

  5. Ensure the DCNM application is functional, by using the appmgr status all command. 

    [root@dcnm1]# appmgr status all
    Note 

    Ensure that all the services are up and running on the Cisco DCNM Active node before proceeding to apply SMU on the Standby node.

Step 6

On the Standby node, install the SMU.

  1. Create a folder named iso using the mkdir /mnt/iso command. 

    [root@dcnm2]# mkdir -p /mnt/iso

  2. Mount the DCNM 11.5(4) SMU file on the Standby node in the /mnt/iso folder. 

    [root@dcnm2]# mount -o loop dcnm-va-patch.11.5.4-p1.iso /mnt/iso

  3. Navigate to /scripts/ directory. 

    [root@dcnm2]# cd /mnt/iso/packaged-files/scripts/

  4. Run the ./inline-upgrade.sh script. 

    [root@dcnm2]# ./inline-upgrade.sh --standby

    The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears.

    Note 

    After the SMU is installed successfully, the DCNM process restarts. This results in a momentary loss of access to the DCNM Web UI.

  5. Ensure the DCNM application is functional, by using the appmgr status all command. 

    [root@dcnm2]# appmgr status all
Step 7

Terminate the screen session, by using the exit command.

[root@dcnm1]# exit

[root@dcnm2]# exit
Step 8

Unmount the dcnm-va-patch.11.5.4-p1.iso file in both Active and Standby node of the DCNM setup.

Note 

You must terminate the screen session before unmounting the SMU file. 

[root@dcnm1]# umount /mnt/iso
[root@dcnm2]# umount /mnt/iso

Installing SMU on Cisco DCNM 11.5(4) Compute Nodes

This section provides instructions to install Software Maintenance Update (SMU) on OVA/ISO deployments in Cisco DCNM Release 11.5(4) to address CVE-2022-22965 issue.

To apply the Software Maintenance Update (SMU) on compute nodes in Cisco DCNM clustered setup, perform the following steps:

Before you begin

  • You must install the SMU on Cisco DCNM Servers in Native HA mode, before upgrading the DCNM compute nodes.

  • If Cisco DCNM appliance is installed in VMware environment, ensure that you take VM snapshots for all nodes. For instructions, refer to VMware Snapshot Support section in your Cisco DCNM Release Notes.

  • Ensure that you plan for a maintenance window to install SMU.

  • Ensure that Cisco DCNM 11.5(4) is up and running.


    Note

    Only a root user can install the SMU on the Cisco DCNM Release 11.5(4) appliance.

Procedure

Step 1

Download the SMU file.

  1. Go to the following site: https://software.cisco.com/download/.

    A list of the latest release software for Cisco DCNM available for download is displayed.

  2. In the Latest Releases list, choose Release 11.5(4).

  3. Locate DCNM 11.5(4) Maintenance Update for VMWare, KVM, Bare-metal, and Appliance servers to address CVE-2022-22965 and click Download icon.

  4. Save the dcnm-va-patch.11.5.4-p1.iso file to your directory that is easy to find when you start to apply the maintenance update (patch).

Step 2

Unzip the dcnm-va-patch.11.5.4-p1.iso file and upload the file to the /root/ folder in all three compute nodes of the DCNM setup.

For example, let us indicate the three Compute Nodes as Compute1, Compute2, and Compute3.

Step 3

Log on to the Cisco DCNM appliance using SSH as a sysadmin user.

Run the su command to enable root user. 

dcnm-compute1# su
Enter the root password: 
[root@dcnm-compute1]#
Step 4

Run the following command to create a screen session.

[root@dcnm-compute1]# screen

This creates a session which allows you to execute the commands. The commands continue to run even when the window is not visible or if you get disconnected.

Step 5

On Compute1 node, install the SMU.

  1. Create a folder named iso using the mkdir /mnt/iso command. 

    [root@dcnm-compute1]# mkdir -p /mnt/iso

  2. Mount the DCNM 11.5(4) SMU file on Compute1 node in the /mnt/iso folder. 

    [root@dcnm-compute1]# mount -o loop dcnm-va-patch.11.5.4-p1.iso /mnt/iso

  3. Navigate to /scripts/ directory. 

    [root@dcnm-compute1]# cd /mnt/iso/packaged-files/scripts/

  4. Run the ./inline-upgrade.sh script. 

    [root@dcnm-compute1]# ./inline-upgrade.sh

    The progress is displayed on the screen. When the installation of SMU is complete, a successful message appears.

    If some services are still running, a prompt to stop the services appears. When prompted, press y to continue.

  5. Ensure the DCNM application is functional, by using the appmgr status all command. 

    [root@dcnm-compute1]# appmgr status all
    Note 

    Ensure that all the services are up and running on the dcnm-compute1 node.

  6. Terminate the screen session, by using the exit command.

    [root@dcnm-compute1]# exit

  7. Unmount the dcnm-va-patch.11.5.4-p1.iso file from the Compute1.

    Note 

    You must terminate the screen session before unmounting the SMU file. 

    [root@dcnm]# umount /mnt/iso
Step 6

Install the SMU on the other two Compute nodes also.

Follow the instructions as explained in Step Step 5.

What to do next

After the installation is complete, each compute node joins the cluster automatically. On the Web UI, choose Applications > Compute to verify if the compute node appears as Joined.


Note

If you try to install the SMU again, an error message appears stating that the patch is already applied on the Cisco DCNM/Compute.