A few days ago, 2022-01-24, a maintenance release to the latest long term support (LTS) version of AOS, 5.20, was released meaning the latest LTS release is now 5.20.3. As with 5.20 the 5.20.3 release includes features from AOS STS (Short Term Support) 5.19, 5.19.1 and 5.19.2 plus additional improvements. Read more about difference between LTS & STS here.
Like the prior AOS release, 5.20.2, the 5.20.3 release also has a strong security focus & includes fixes for the following vulnerabilities.
- AOS
- CESA-2021:3798
- CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash().
- CVE-2021-23840 openssl: integer overflow in CipherUpdate.
- CESA-2021:3801
- CVE-2021-3653 kernel: SVM nested virtualization issue in KVM (AVIC support).
- CVE-2021-3656 kernel: SVM nested virtualization issue in KVM (VMLOAD/VMSAVE).
- CVE-2021-37576 kernel: powerpc: KVM guest OS users can cause host OS memory corruption.
- CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks.
- CESA-2021:3810
- CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges.
- CESA-2021:3856
- CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing “unix:”.
- CESA-2021:3889
- CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967).
- CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167).
- CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580).
- CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097).
- CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137).
- CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735).
- CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618).
- CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210).
- CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729).
- CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689).
- CVE-2021-35588 OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071)
- CESA-2021:4033
- CVE-2021-42574 Developer environment: Unicode’s bidirectional (BiDi) override characters can cause trojan source attacks.
- CESA-2021:4777
- CVE-2020-36385 kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free.
- CESA-2021:4782
- CVE-2021-41617 openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured.
- CESA-2021:4785
- CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package.
- CESA-2021:4788
-
CVE-2021-37750 krb5: NULL pointer dereference in process_tgs_req() in kdc/do_tgs_req.c via a FAST inner body that lacks server field.
-
- CESA-2021:4904
- CVE-2021-43527 nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS).
- CESA-2021:3798
- AHV
- CESA-2021:3325
- CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer.
- CVE-2020-29443 QEMU: ide: atapi: OOB access while processing read commands.
- CVE-2021-23840 openssl: integer overflow in CipherUpdate CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash().
- CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges.
In addition, the 5.20.3 release also includes improvements in the following areas:
- AHV-Management
- API Infra
- Data Protection
- Flow
- Infrastructure / Services
- Networking
- Nutanix Cluster Check (NCC)
- Nutanix Guest Tools (NGT)
- Prism Gateway
- Stargate
- Zookeeper
AOS 5.20.3 comes with AHV version 7.2.4 build 20201105.2244 and can be managed with any of the following Prism Central versions:
-
pc.2021.9.0.4
-
pc.2021.9.0.3
-
pc.2021.9.0.2
-
pc.2021.9.0.1
-
pc.2021.9
-
pc.2021.8.0.1
-
pc.2021.8
-
pc.2021.7
-
pc.2021.5.0.1
-
pc.2021.5
As usual check Nutanix Software End Of Life document on a regular basis to keep you up to date.
Useful links
- Acropolis Upgrade Guide
- Acropolis 5.20 Family Release Notes
- Firewall Requirements 5.20
- AOS 5.20.3 Download
- AOS 5.20.3 Release Notes
- AHV 20201105.2244 Download
- AHV 20201105.2244 Release Notes
- Upgrade Path
- Hypervisor json files
- Nutanix Compatibility Matrix
- Software Product Interoperability
Enjoy the new version and its capabilities..
————————————————————————————————————————————————————————————