QuantaStor Security Updates

From OSNEXUS Wiki
Jump to: navigation, search

QuantaStor uses the Ubuntu Server LTS linux distributions as a Linux OS basis. QuantaStor also utilizes the security patches packaged by Canonical to address the needs of customers to patch various parts of the operating system to ensure security and stability of the system.

QuantaStor Security Notifications

On this page we maintain a summary of all the product changes made to QuantaStor which are security related and we post specific notices about Linux security issues that effect packages distributed with QuantaStor such as the openssl libraries.

For details on the all the latest security notifications for the Ubuntu LTS release used by QuantaStor please see (http://services.osnexus.com/security). We recommend that appliance administrators perform periodic auditing of their systems and install any and all security updates. It is highly recommended that systems are updated to the latest patched before being initially deployed. To apply the latest updates including security updates you should login to the system as the administrator 'qadmin' account and run the following commands:

sudo apt-get update
sudo apt-get upgrade

Linux Base OS Security Fixes / Notifications

Security notifications for QuantaStor base OS packages are now available at the OSNEXUS Security Notices site (http://services.osnexus.com/security)

Core Product Security Updates

QuantaStor 4.1.5 (Jan 18th 2017)

  • Fixed: Addressed SSL concern CVE-2016-2183 (SWEET32) with updated qsciphers file to remove DES and 3DES ciphers and disabled tomcat web port 8443.

QuantaStor 4.0.8 (Nov 18th 2016)

  • Adds new 3.19.0-73 Linux kernel that includes updates and a security patch to address CVE-2016-5195 (Dirty COW)

QuantaStor 4.0.0 (March 31st 2016)

  • Fixed: Addressed CVE-2015-4000 (Logjam) in the Web Server Package with increase of the default Modulus length to 2048-bit and removal of weak DHE Diffie-Hellman ciphers.
  • Added: New QuantaStor users created via the Users and Groups section of the Web Manager or 'qs user-add' CLI command will now have the same User ID on all QuantaStor nodes. The new UID range is 100000000-199999999.
  • Fixed: An unexpected web request to the Web Server will now correctly route to a 404 error page.

QuantaStor 3.15.1 (May 28th 2015)

  • adds firewall support for disabling access to unused storage services
  • fix to support creation of roles with no permissions

QuantaStor 3.15.0 (May 1st 2015)

  • adds support for customizing the pem files for all services (core qs_service, REST service, and Tomcat)
  • adds support for customizing the SSL ciphers, applies strong cipher limits automatically
  • adds SSL cert generation script which deposits custom certs into /var/opt/osnexus/quantastor/ssl which are automatically picked up by REST and core services
  • adds script command to upgrade from Java 6 to Java 7 (qs-util java7upgrade), which allows browsers to connect via https using stronger ciphers / TLS 1.2
  • fix to disable all use of SSLv3 across all internal services (Core service, Tomcat, REST API service) in favor of TLS for improved security / HIPAA compliance
  • fix to allow removal of duplicate 'admin' users
  • fix to remove duplicate user entries in Samba config when user assigned as 'Admin' on a share
  • fix to password length enforcement (8-34 char)

QuantaStor 3.12.2 (July 22nd 2014)

  • fix to set password error message to show 8 to 40 characters required
  • fix to update user password changes to all grid nodes

QuantaStor 3.12.0 (June 27th 2014)

  • adds new https keystore for web management interface (be sure to clear your browser cache)
  • adds secure mode 'qs-util disablehttp' to enable/disable http access (port 80) to force admins to use https for web management
  • fix to core service to allow for changing openssl pem files

QuantaStor 3.9.3 (March 7th 2014)

  • fix to AD domain leave operation to remove AD computer entry