R81.10 Jumbo Hotfix Accumulator take #150 has been released today

Does the previously released hotfix for CVE-2024-24919 need to be uninstalled before upgrading to JHF 150 or can the JHF be installed on-top of the hotfix with no issues?

@CaseyB no need to uninstall thepreviously released hotfix for CVE-2024-24919

No need to uninstall the CVE fix. This newly released JHF includes the fix, and therefore there shouldn't be any conflict. 

Do we know if this will go to recommended release, very quickly?
Additionally whats the ETA on the R81 and R81.20 Jumbo releases?

@genisis__ , as always,  we want to see that the jumbo is not causing any unexpected issues,  and then we'll recommend it. We are aiming to recommend it relatively quickly.

R81.20 and R81 are to be released very soon.

Nevertheless, I advise against waiting for the release of the other jumbos or for the declaration of recommended, and postpone the installation of the CVE fix. 

Hey guys,

On similar note, when next R81.20 jumbo comes out, I assume there wont be any conflicts either to install it based on latest vulnerabilities?

Best,

Andy

@the_rock correct

Thanks @Tsahi_Etziony , thats great news!

Andy

Hey gents,

Any idea when next R81.20 jumbo may be ready? I was on vacation, but got couple of emails from customers asking me that and I assume its because of this new vulnerability that came out last week.

Best,

Andy

Hi the_rock,

We are planning to release a new R81.20 Jumbo by end of day.

Gadi

Any plans to have the vulnerability fixed at the source, i.e. in the base image of supported versions?

This wouldn't help, because if an older JHF is installed on the base image, which replaces the relevant files, the vulnerability would be there again.

Makes sense. With some impacted versions still supported for some years, we need to ensure that customer self-installing and not always aware only use a corrected software version with the fix.

Thanks @gadt 

@Alex- Yes, we will replace all the base versions for supported releases with images that will include the fixes integrated. The images will be up on the download center later today. We will notify this community.

@Aviv_Abramovich Need an advice on something slightly unrelated, well, just version, but same topic really. Do you think its okay say if customer approached and asked if they should install latest jumbo 65 for R81.20?

Reason I ask this is because I see it contains fix for latest CVE, but obviously its not recommended yet.

Thoughts?

Best,

Andy

@the_rock yes, R81.20 + JHF65 can replace the need to install the CVE hotfix as it already contain this fix as well as the local accounts authentication through password-only. Being a JHF it also contains a couple of other unrelated fixes (see the JHF release notes for details).

Thanks @Aviv_Abramovich . I was under impression that it would get rid of gateway listed from the script I mentioned, but as @Norbert_Bohusch indicated, that is not the case.

Sorry, was on vacation for 2 weeks, so just trying to "digest" all this now.

Best,

Andy

@Tsahi_Etziony what is relatively quick? A couple of days or more then a week? Since now there are no recommended takes withing smartconsole or gaia available. What is the best suggestion to download r81.10 take 139 and install the hotfix if applicable or install r81.10 take 150. I was at the end of upgrading a batch of firewall to take 139.

Kind regards.

Considering how unique the whole situation is, I would not be worried that jumbo 150 for R81.10 and take 65 for R81.20 are so new, I am suggesting everyone to install them, as they contain all those fixes.

Best,

Andy

Having installed (using Smartconsole " Install Hotfix/Jumbo") JHF Take 150 on my gateway cluster, my smartconsole is now showing the recommended Jumbo to be Take 139?

Take 139 was previously installed.
Gaia and all the various cli commands show Take 150 to be installed OK.

Updating to latest Smartconsole client and logging off/on made no difference.

This just a cosmetic bug?
regards,
Jen.

Hi @Jennifer_Wilson 

Please try to do it now and let me know if you still see Take 139 as recommended or not.

Thanks 

Matan.

Hi Matan,

Try to do what now?

Regards,

Jen.

@Jennifer_Wilson  logoff and login

and let me know if you still see take 139 as recommended or you see take 150 as recommended  and add screenshots if you still have the problem

Matan,

logged off and on and it is still showing.
2 screenshots attached, smartconsole and Gaia of one of the gateways.

Regards,

Jen.

@Jennifer_Wilson Im 99% sure its cosmetic. I get that behavior in 3 labs.

Andy

Thanks @Jennifer_Wilson and @the_rock 

We will look into it internally again and update

Thanks 

Matan. 

@MatanYanay I will check my labs soon to confirm 100%, just working on some other stuff atm.

Andy

It's showing as "Up to date" now (believe this changed last night).

If someone did something in the background then thank you.
Regards,

Jen.

I saw in 2 labs showed fine and 1 was showing incorrect. I always assumed that was a cosmetic bug, as if you think about it logically, say if you have latest take, well, that is NOT recommended one, so to me, makes sense why it would show lower take as recommended.

Andy

@Jennifer_Wilson  and @the_rock 

regardless we are still trying to reproduce it internally and understand if it's a bug or bug in our design 🙂 

once we replicate the bug we will understand the RC and I will update 

but indeed it is only a cosmetic issue

@Jennifer_Wilson  can you please share your screenshots again with me offline ( matany@checkpoint.com) , I want to see what you see in your SC 

Thank you @MatanYanay , appreciate the efforts mate.

Andy

@MatanYanay 

I just checked my notes and saw this happened once in R80.40 lab and went away the next day, was always there in R81.10 lab and twice in R81.20 after jumbo, but then would disappear 24-48 hours later.

Again, I always assumed it was cosmetic.

Andy

Thanks Matan and Boaz.
Both SmartConsole and Gaia are now not showing Take139 as Recommended update.
(Was asked to do a "Check for updates" but Gaia had already sorted itself out prior to this (Check for updates running in background?))
Regards,

Jen.