R81.20 Jumbo Hotfix Accumulator take #65 has been released today

Will install it in the lab and report back.

Andy

K, just installed, rebooted, lets give it 24 hours and see if all is well.

Best,

Andy

Just installed it on lab gw, ran script for CVE in question from https://support.checkpoint.com/results/sk/sk182336 and still shows vulnerable. Its the one named CP-gateway as per below

[Expert@CP-gw:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000239 for GAIA
[FW1]
HOTFIX_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 65
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 030
kernel: R81.20 - Build 038

[Expert@CP-gw:0]#

Andy

There is a big misunderstanding.

The script only checks if remoteaccess or mobileaccess is enabled on a gateway and lists it as "possibly" vulnerable.

The patch or JHF will not change the output of the script!

@Norbert_Bohusch Ah, I see, my bad. I thought if installed would get rid of it, as it shows fix is included in this jumbo, but suppose I was mistaken.

Andy

Reminder from sk182336:

Thanks @PhoneBoy 

I might be misunderstanding things but the release notes no longer seem to give prominence to a "Recommended" take.  Is JHF recommended or is that still JHF 53?

@MattGo 

we recommend that all customers upgrade to take 65 -- as it includes the CVE fix 

we aim to move the take to be recommended formally very quickly 

Thanks 

Matan.

@MatanYanay I also mentioned this to few customers and they totally understood. Normally, most people would wait until jumbo is recommended, but given the circumstances, this is a bit different.

Cheers mate.

Andy

Hi Andy,

we are planning to install the Take 65 on Saturday, did you have any problems with the new take?

Thank you for your feedback!

Cheers

Rok

Hey Rok,

No issues so far that I noticed in the lab. As a matter of fact, contrary to it, all seems BETTER! 

Andy

@Mlinko We installed jumbo 65 for one client last night, no issues so far, though its not business hours in EST time zone yet, but Im sure it will be fine. We are doing another one that has S1C mgmt server tonight as well. Im literally "forcing" everyone to install this newest take, because while yes, its not recommended yet, but I dont care, given the circumstances, it has to be done.

Best,

Andy

We installed this Take on a SecureXL cluster and SNX won't start.

The fix consisting of editing the two phpincs files has been re-applied but no luck there, the Connect button cycles for some time and then nothing happens.

Multiple PC tested and so on. We quickly switched to Endpoint as workaround.

@Mlinko Updated another customer last night, they are super happy, all good!

@Alex- Are you referring to sk181805?

@MatanYanay 

Hello,
is the date already known when the T65 as GA will be available?
Thanks!!

@Pauli I would NOT wait for that. Again, given the circumstances, Im telling everyone to install it. Just make sure none of these apply to you.

Andy

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Important-Notes.htm?tocpath=_____2

@Chris_Atkinson Yes, although we're checking again if it was implemented completely. It was a good opportunity to flash-migrate to Endpoint VPN since this customer already uses HEP, though.

We also updated all the GWs and MGMTs and didn't have any issues until now.

KR
Rok