cancel
Showing results for 
Search instead for 
Did you mean: 

XIQ OnPrem / IQVA New Release

XIQ OnPrem / IQVA New Release

daniel1
Contributor

Hi,

can anyone from Extreme tell me, when you plan to release a new feature version of XIQ OnPrem?

This is getting ridiculous, no big feature update for one and half year, we still have to use 21.1.x, so January 2021 version according to your scheme.

2 ACCEPTED SOLUTIONS

BillL
Extreme Employee

Hello,

Allow me to simplify.  As the bulletin says, "In certain configurations, an attacker could execute arbitrary commands with the privileges of the script."  In IQVA, yes, c_rehash is present. However, IQVA does not use it in any process, the configurations required for exploit are non-existent, and access to the OS in any capacity to expose it is not exposed.   Several other CVE's are being tackled in the January release, specifically CVE-2021-4034.   And no, the January release is not a joke, and is currently tracking as follows:

  • Dev Start:  (after 22r7 in cloud). on or about 11/15
  • Dev Complete:  12/15 (4w development time)
  • QA Test: 3w beginning in early January
  • GA Available:  end of January

 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

View solution in original post

BillL
Extreme Employee

@daniel1  I just spoke to the team that's doing it and you should see it in the next week or so.   QA testing is complete, the final build approved, and release notes should be finalized today (2/23).  Then we just have to work to get it posed. 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

View solution in original post

11 REPLIES 11

BillL
Extreme Employee

Hello,

Allow me to simplify.  As the bulletin says, "In certain configurations, an attacker could execute arbitrary commands with the privileges of the script."  In IQVA, yes, c_rehash is present. However, IQVA does not use it in any process, the configurations required for exploit are non-existent, and access to the OS in any capacity to expose it is not exposed.   Several other CVE's are being tackled in the January release, specifically CVE-2021-4034.   And no, the January release is not a joke, and is currently tracking as follows:

  • Dev Start:  (after 22r7 in cloud). on or about 11/15
  • Dev Complete:  12/15 (4w development time)
  • QA Test: 3w beginning in early January
  • GA Available:  end of January

 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

@BillL It's end of February already, do you have an update for the release date?

BillL
Extreme Employee

@daniel1  I just spoke to the team that's doing it and you should see it in the next week or so.   QA testing is complete, the final build approved, and release notes should be finalized today (2/23).  Then we just have to work to get it posed. 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

Well this information would have been great to see in the KB-article and not here, as it creates (at least for me) a lot of confusion, especially in terms of a new IQVA release.
But I don't get why you can't simply patch the OpenSSL version with the new release? As per your support policy the major support for IQVA runs until December 2023.

But thanks for the clarification.

systemscsn
Valued Contributor

@daniel1  wow am i glad that we went to the cloud right off the bat!  looks like a total frigging nightmare... then its going to be End Of life pretty soon....  again so grateful, because we have two ZoneDirectors from Ruckus and i LOVED it.. I didnt have to push configs (that reboot the AP for full config) to AP's one by one to get an ACL to work., i could block MAC's to my hearts content, and block content, and a ton more.. heart breaking to lose it... it was easy and awesome (not like cloud or on-prem of this XIA).. it was great, but it outlived its purpose and we had to go with something newer...i could have gotten screwed if id pushed for an on-prem solution instead of cloud based reading the issues you are having and the total lack of updates and patches.  sorry mate.  Jason

GTM-P2G8KFN