Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.10 Jumbo Hotfix Accumulator take #150 has been released today

eranzo
Employee
Employee
0 34 4,231

eranzo_0-1717346151989.png

Hi All,

 

R81.10 Jumbo Hotfix Accumulator take #150 has been released today, and is available for download.

 

Please note the following:

  •        Availability:

o   Available to download the via Jumbo documentation (R81.10

o   Available for download via CPUSE by using package identifier.

o   Can be provided by customer support

 

Content included in this take:

  • PRJ-55495 - CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.
  • PRJ-55470 - Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower and not updated after the upgrade to R80.30 is blocked until the password is reset. Refer to sk182336.
  • List of resolved issues in this take can be found in the Jumbo documentation (R81.10

Note:

  • Central Deployment allows you to perform a batch deployment of Hotfixes on your Security Gateways and clusters from SmartConsole!! For more information, see sk168597.

 

Thanks,

Release Operations Group

34 Comments
CaseyB
Advisor

Does the previously released hotfix for CVE-2024-24919 need to be uninstalled before upgrading to JHF 150 or can the JHF be installed on-top of the hotfix with no issues?

Moti
Admin
Admin

@CaseyB no need to uninstall thepreviously released hotfix for CVE-2024-24919

Tsahi_Etziony
Employee
Employee

No need to uninstall the CVE fix. This newly released JHF includes the fix, and therefore there shouldn't be any conflict. 

genisis__
Leader Leader
Leader

Do we know if this will go to recommended release, very quickly?
Additionally whats the ETA on the R81 and R81.20 Jumbo releases?

Tsahi_Etziony
Employee
Employee

@genisis__ , as always,  we want to see that the jumbo is not causing any unexpected issues,  and then we'll recommend it. We are aiming to recommend it relatively quickly.

R81.20 and R81 are to be released very soon.

Nevertheless, I advise against waiting for the release of the other jumbos or for the declaration of recommended, and postpone the installation of the CVE fix. 

the_rock
Legend
Legend

Hey guys,

On similar note, when next R81.20 jumbo comes out, I assume there wont be any conflicts either to install it based on latest vulnerabilities?

Best,

Andy

Tsahi_Etziony
Employee
Employee

@the_rock correct

the_rock
Legend
Legend

Thanks @Tsahi_Etziony , thats great news!

Andy

the_rock
Legend
Legend

Hey gents,

Any idea when next R81.20 jumbo may be ready? I was on vacation, but got couple of emails from customers asking me that and I assume its because of this new vulnerability that came out last week.

Best,

Andy

gadt
Employee
Employee

Hi the_rock,

We are planning to release a new R81.20 Jumbo by end of day.

Gadi

Alex-
Leader Leader
Leader

Any plans to have the vulnerability fixed at the source, i.e. in the base image of supported versions?

Norbert_Bohusch
Advisor

This wouldn't help, because if an older JHF is installed on the base image, which replaces the relevant files, the vulnerability would be there again.

Alex-
Leader Leader
Leader

Makes sense. With some impacted versions still supported for some years, we need to ensure that customer self-installing and not always aware only use a corrected software version with the fix.

the_rock
Legend
Legend

Thanks @gadt 

Aviv_Abramovich
Employee
Employee

@Alex- Yes, we will replace all the base versions for supported releases with images that will include the fixes integrated. The images will be up on the download center later today. We will notify this community.

the_rock
Legend
Legend

@Aviv_Abramovich Need an advice on something slightly unrelated, well, just version, but same topic really. Do you think its okay say if customer approached and asked if they should install latest jumbo 65 for R81.20?

Reason I ask this is because I see it contains fix for latest CVE, but obviously its not recommended yet.

Thoughts?

Best,

Andy

Aviv_Abramovich
Employee
Employee

@the_rock yes, R81.20 + JHF65 can replace the need to install the CVE hotfix as it already contain this fix as well as the local accounts authentication through password-only. Being a JHF it also contains a couple of other unrelated fixes (see the JHF release notes for details).

the_rock
Legend
Legend

Thanks @Aviv_Abramovich . I was under impression that it would get rid of gateway listed from the script I mentioned, but as @Norbert_Bohusch indicated, that is not the case.

Sorry, was on vacation for 2 weeks, so just trying to "digest" all this now.

Best,

Andy

IgorSpitters
Explorer

@Tsahi_Etziony what is relatively quick? A couple of days or more then a week? Since now there are no recommended takes withing smartconsole or gaia available. What is the best suggestion to download r81.10 take 139 and install the hotfix if applicable or install r81.10 take 150. I was at the end of upgrading a batch of firewall to take 139.

 

Kind regards.

the_rock
Legend
Legend

Considering how unique the whole situation is, I would not be worried that jumbo 150 for R81.10 and take 65 for R81.20 are so new, I am suggesting everyone to install them, as they contain all those fixes.

Best,

Andy

Jennifer_Wilson
Contributor

Having installed (using Smartconsole " Install Hotfix/Jumbo") JHF Take 150 on my gateway cluster, my smartconsole is now showing the recommended Jumbo to be Take 139?

Take 139 was previously installed.
Gaia and all the various cli commands show Take 150 to be installed OK.

Updating to latest Smartconsole client and logging off/on made no difference.

This just a cosmetic bug?
regards,
Jen.

MatanYanay
Employee
Employee

Hi @Jennifer_Wilson 

Please try to do it now and let me know if you still see Take 139 as recommended or not.

Thanks 

Matan.

 

Jennifer_Wilson
Contributor

Hi Matan,

Try to do what now?

Regards,

Jen.

MatanYanay
Employee
Employee

@Jennifer_Wilson  logoff and login

and let me know if you still see take 139 as recommended or you see take 150 as recommended  and add screenshots if you still have the problem

Jennifer_Wilson
Contributor

Matan,

logged off and on and it is still showing.
2 screenshots attached, smartconsole and Gaia of one of the gateways.

Regards,

Jen.CGaiaTake139notshowing.JPGCSCTake139showing.JPG

the_rock
Legend
Legend

@Jennifer_Wilson Im 99% sure its cosmetic. I get that behavior in 3 labs.

Andy

MatanYanay
Employee
Employee

Thanks @Jennifer_Wilson and @the_rock 

We will look into it internally again and update

Thanks 

Matan. 

 

the_rock
Legend
Legend

@MatanYanay I will check my labs soon to confirm 100%, just working on some other stuff atm.

Andy

Jennifer_Wilson
Contributor

It's showing as "Up to date" now (believe this changed last night).


If someone did something in the background then thank you.
Regards,

Jen.

the_rock
Legend
Legend

I saw in 2 labs showed fine and 1 was showing incorrect. I always assumed that was a cosmetic bug, as if you think about it logically, say if you have latest take, well, that is NOT recommended one, so to me, makes sense why it would show lower take as recommended.

Andy

MatanYanay
Employee
Employee

@Jennifer_Wilson  and @the_rock 

regardless we are still trying to reproduce it internally and understand if it's a bug or bug in our design 🙂 

once we replicate the bug we will understand the RC and I will update 

but indeed it is only a cosmetic issue

@Jennifer_Wilson  can you please share your screenshots again with me offline ( matany@checkpoint.com) , I want to see what you see in your SC 

 

the_rock
Legend
Legend

Thank you @MatanYanay , appreciate the efforts mate.

Andy

the_rock
Legend
Legend

@MatanYanay 

I just checked my notes and saw this happened once in R80.40 lab and went away the next day, was always there in R81.10 lab and twice in R81.20 after jumbo, but then would disappear 24-48 hours later.

Again, I always assumed it was cosmetic.

Andy

Jennifer_Wilson
Contributor

Thanks Matan and Boaz.
Both SmartConsole and Gaia are now not showing Take139 as Recommended update.
(Was asked to do a "Check for updates" but Gaia had already sorted itself out prior to this (Check for updates running in background?))
Regards,

Jen.

Labels