Cisco Cisco Email Security Appliance C170
12
Release Notes for AsyncOS 9.6 for Cisco Email Security Appliances
Installation and Upgrade Notes
•
Virtual Appliances: Important! Required Changes for SSH Security Vulnerability Fix
Requirements in this section were introduced in AsyncOS 9.6.
The following security vulnerability will be fixed during upgrade if it exists on your appliance:
If you did not patch this issue before upgrading, you will see a message during upgrade stating that it
has been fixed. If you see this message, the following actions are required to return your appliance to
full working order after upgrade:
has been fixed. If you see this message, the following actions are required to return your appliance to
full working order after upgrade:
•
Remove the existing entry for your appliance from the known hosts list in your ssh utility. Then ssh
to the appliance and accept the connection with the new key.
to the appliance and accept the connection with the new key.
•
If you use SCP push to transfer logs to a remote server (including Splunk): Clear the old SSH host
key for the appliance from the remote server.
key for the appliance from the remote server.
•
For cluster configurations (Email Security appliances):
–
Delete the host keys of all virtual Email Security appliances using
logconfig > hostkeyconfig
> delete
(The host keys are modified after upgrade.)
–
Add the new key for each virtual Email Security appliance to all machines in the cluster using
logconfig > hostkeyconfig > scan
. Use the IP address of each virtual Email Security
appliance in the cluster.
For example, if there are two virtual Email Security appliances in a cluster, update the host keys
of both appliances on both machines.
of both appliances on both machines.
So, run the following commands on both appliances in the cluster:
logconfig > hostkeyconfig > scan > <IP address of vESA1>
and
l
l
ogconfig > hostkeyconfig > scan >
<IP address of vESA2>
.
–
Reconnect the machines to the cluster using
clusterconfig
command.
–
Verify that the machines are reconnected properly by using the
clusterconfig > connstatus
command to check connection status.
•
If your deployment includes a Cisco Content Security Management Appliance, see important
instructions in the Release Notes for that appliance.
instructions in the Release Notes for that appliance.
Replace Old Demo Certificates
After upgrading to AsyncOS 9.6 or later, you can no longer use the following IronPort appliance demo
certificates: delivery_cer, https_cer,ldaps_cer, and receiving_cer. These certificates were created using
older ciphers and are not compatible with the TLS version of the appliance. As a result, the
communication between the services using these certificates and certain domains may fail. After
upgrading, replace these certificates with the new demo certificate. For more information, see
certificates: delivery_cer, https_cer,ldaps_cer, and receiving_cer. These certificates were created using
older ciphers and are not compatible with the TLS version of the appliance. As a result, the
communication between the services using these certificates and certain domains may fail. After
upgrading, replace these certificates with the new demo certificate. For more information, see
.