====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN253
_____________________________________________________________________

DATE                : 07/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NGINX Controller versions prior to
                                            3.4.0.

=====================================================================
https://docs.nginx.com/nginx-controller/releases/#nginx-controller-version-3-4-0
https://support.f5.com/csp/article/K95120415
https://support.f5.com/csp/article/K95120415
https://support.f5.com/csp/article/K13028514
_____________________________________________________________________

NGINX Controller Version 3.4.0

May 6, 2020


These release notes provide general information and describe known
issues for NGINX Controller version 3.4.0, in the following categories:

    Updates
    Resolved Issues
    Known Issues
    Supported Versions


Updates

NGINX Controller 3.4.0 includes the following updates:

    Bug fixes and improvements.
    Improved Controller Agent error messages that make it easier to
     troubleshoot connectivity issues during installation.
    Write permissions for the platform/global endpoint are limited only
     to the Admin role now, to safeguard against changes to critical
     server and database configurations.
    Audit events are exposed using the /events endpoint.


Resolved Issues

Vulnerability Fixes

Vulnerability issues are disclosed only when a fix is available. For
information about a vulnerability fix, including the recommended action,
see the linked AskF5 Solution Article for details.

    Malformed messages lead to segmentation fault of the Analytics,
     Visibility, and Reporting daemon (AVRD) (9068)
        Solution Article: K95120415 | CVE-2020-5895
    The Analytics, Visibility, and Reporting daemon (AVRD) is
      world-readable and writeable (9067)
        Solution Article: K95120415 | CVE-2020-5895
    The NGINX Controller webserver does not invalidate the the
     server-side session token when users log out (8576)
        Solution Article: K13028514 | CVE-2020-5894


Additional Fixes

    API Management module doesn’t need to run on dedicated NGINX Plus
instances (8665)


Known Issues

Installation and Upgrade

    Identity Provider API keys are not migrated during full or
incremental upgrades from NGINX Controller v3.0 to v3.4 (11286)

    When the conditions noted below are met, the Identity Provider API
keys are not migrated and must be re-entered.

    Conditions:

    This issue applies when the following conditions are true:
        You are running NGINX Controller v3.0.
        You are running NGINX Controller v3.2, which you previously
         upgraded from NGINX Controller v3.0.
        You are running NGINX Controller v3.3, which you previously
         upgraded from NGINX Controller v3.0.

    Workaround:

    Step 1: Copy and save your API Identity Profile keys

    Before upgrading, you must complete the following steps to copy and
save any API Identity Profile keys that you have.

        Open the NGINX Controller web interface and log in.
        Select the NGINX controller menu icon, then select Services.
        On the Services menu, select APIs.
        On the API Management menu, select Identity Provider. The
         Identity Provider overview page is displayed.
        Locate the Identity Provider that contains the API key that you
         need to migrate, then select the pencil (edit) icon.
        In the API Clients pane, select the Edit button to display the
         Identity Provider API key.
        Copy the Identity Provider API key value and save it locally.
         You’ll need to re-enter this value after you upgrade.

    You can now complete the upgrade to NGINX Controller v3.4.


    Step 2: Restore your API Identity Profile keys

    After you’ve upgraded to NGINX Controller v3.4, you can restore the
API Identity profile keys that you saved.

        Open the NGINX Controller web interface and log in.
        Select the NGINX controller menu icon, then select Services.
        On the Services menu, select APIs.
        On the API Management menu, select Identity Provider. The
         Identity Provider overview page is displayed.
        Locate the Identity Provider that contains the API key that you
         need to migrate, then select the pencil (edit) icon.
        In the API Clients pane, select the Edit button to display the
         Identity Provider API key.
        Paste the copied Identity Provider API key that you saved in the
         previous procedure into the key field. Then, click Save.

    NGINX Controller v3 does not support RHEL 7 (11282)

    NGINX Controller v3 does not support Red Hat Enterprise Linux (RHEL)
v7. The NGINX Controller installation fails during the Docker version
check. Manually updating the Docker version on RHEL 7 does not solve the
problem.


Apps and Services

    Certificates imported out of order using drag-and-drop cause an
error when creating a cert bundle (10761)

    When certificates are imported using the drag-and-drop feature in
the NGINX Controller web interface, the system expects the first
certificate that’s added to be the public certificate. Additional
certificates that are added are treated as intermediate CA certs.

    If the certificates aren’t added in order, with the public
certificate added first, the resulting API request has transposed values
for the publicCert and caCert parameters.


    Workaround:

    When adding certificates using drag-and-drop, always drag the public
cert file in first, followed by any additional CA certificates. The
private key can be dragged in either before or after the certificates.
Alternatively, you can choose to copy and paste the PEM text into the
corresponding fields.


Platform

    Cannot change SMTP password using the platform/global endpoint (11049)

    Sending the SMTP password in a PATCH request to the platform/global
endpoint has no effect.


    Workaround:

    To change the SMTP password, you can use the help.sh script that’s
located in /opt/nginx-controller/ on the NGINX Controller host. For
instructions, see the documentation that’s installed with NGINX
Controller:
https://<Controller-FQDN>/docs/platform/using-helper-script/#update-smtp-settings.


Documentation

    Security section appears in the documentation but has no content (11294)

    In NGINX Controller v3.4, a “Security” panel appears in the
“Services” section of the onboard documentation. If you click on the
Security panel, you will not see any content listed because there is no
security documentation for this release. Users should disregard the
“Security” panel in the documentation for this release.


Supported Versions

    NGINX Plus R19
    NGINX Plus R20
    NGINX Plus R21


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================