Release Notes for RSA NetWitness Platform 11.4.1.1 - Table of Contents

Document created by RSA Information Design and Development on May 20, 2020Last modified by Suresh Babu on May 21, 2020
Version 6Show Document
  • View in full screen mode

Document Sections:

This document lists the security fixes for NetWitness Platform 11.4.1.1. Read this document before deploying or upgrading to NetWitness Platform 11.4.1.1.

Fixed Issues

This section lists issues fixed since the last major release.

Security Fixes

Tracking NumberDescription
ASOC-95662

SALT STACK Vulnerabilities

CVE-2020-11651: The salt-master process ClearFuncs class does not properly validate method calls.

CVE-2020-11652: The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths.

Build Numbers

The following table lists the build numbers for the components of NetWitness Platform 11.4.1.1.

ComponentVersion Number
NetWitness Platform Compoenent Descriptor11.4.1.1-2005111814.5
NetWitness Platform Deployment Upgrade11.4.1.1-2005051914.5
NetWitness Platform Legacy Web Server11.4.1.1-200511142513.5
NetWitness Platform User Interface11.4.1.1-200506105021.5
Python setup Tools36.6.0-3.ius.el7
SALT3000.2-1.el7
SALT API3000.2-1.el7
SALT Master3000.2-1.el7
SALT Minion3000.2-1.el7

Upgrade Instructions

You need to read the information and follow these procedures for upgrading NetWitness Platform version 11.4.1.1.

The following upgrade paths are supported for NetWitness Platform 11.4.1.1:

  • NetWitness Platform 11.2.x.x to 11.4.1.1
  • NetWitness Platform 11.3.x.x to 11.4.1.1
  • NetWitness Platform 11.4.0.x to 11.4.1.1
  • NetWitness Platform 11.4.1.0 to 11.4.1.1

To upgrade from NetWitness Platform 11.2.x.x or 11.3.x.x to 11.4.1.1, you must download files for the 11.4.0.0 base pack, 11.4.1.0 service pack and the 11.4.1.1 patch release.

To upgrade from NetWitness Platform 11.4.0.x to 11.4.1.1, you must download files for the 11.4.1.0 service pack and the 11.4.1.1 patch release.

To upgrade from NetWitness Platform 11.4.1.0 to 11.4.1.1, you only need to download files for the 11.4.1.1 patch release.

You can upgrade 11.4.1.1 patch using one of the following options:

  • If the NetWitness Server has internet connectivity to Live Services, the NetWitness Platform User Interface can be used to apply the patch.

  • If the NetWitness Server does not have internet connectivity to Live Services, the Command Line Interface (CLI) or the NetWitness Platform User Interface can be used to apply the patch.

Note: If you are using S4s devices that use SD cards, SSH to NW Server and run the following command before starting the upgrade process.
manage-stig-controls --disable-control-groups 7 --host-id <node uuid>

Running in Mixed Mode

Running in mixed mode occurs when some services are upgraded to the latest version and some services are on older versions. See "Running in Mixed Mode" in the RSA NetWitness Platform Hosts and Services Getting Started Guide for further information.

Upgrade Considerations for ESA Rule Deployments

Caution: In NetWitness Platform 11.3 and later versions, the ESA Correlation service contains data source changes that require changes to migrated ESA rule deployments. The newer ESA Correlation service replaces the Event Stream Analysis service in 11.2.x.x versions.

If you are upgrading from 11.2.x.x to 11.4 or later, migrated ESA rule deployments have the following changes.

  1. If an ESA rule deployment contains two services before you upgrade to 11.4 or later, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.4 or later.
  2. If an ESA service has multiple ESA rule deployments before you upgrade to 11.4 or later, they are combined into one deployment in version 11.4 or later.

You can still access your old deployments. For a detailed example, see the ESA Configuration Guide for RSA NetWitness Platform 11.4.

Change to Column Groups in the Events View

To improve consistency when loading results in the Events view, the number of columns in a column group is limited to 40.

After you upgrade to 11.4 or later, column groups migrated to the Events view from the Legacy Events view still function with more than 40 columns. However, when you edit those groups, you receive a warning that tells you to reduce the number of columns below the limit of 40 columns.

Upgrade Tasks

Task 1: Download the 11.4.1.1 Patch

 

Download the RSA NetWitness Platform 11.4.1.1 Upgrade Pack file, which contain all the NetWitness Platform 11.4.1.1 upgrade files, from the RSA Link https://community.rsa.com/community/products/netwitness/114/downloads to a local directory.
netwitness-11.4.1.1.zip

Upgrading fromDownload and Stage file
11.2.x.xnetwitness-11.4.0.0.zip, netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip
11.3.x.xnetwitness-11.4.0.0.zip, netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip

11.4.0.x

netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip
11.4.1.0netwitness-11.4.1.1.zip

Task 2: Upgrade External Repository

Note: Perform the below steps only if you are using an external repository for 11.4.1.1.

To upgrade the external repository which is an externally managed server, do the following:

  1. Upgrade the external repository with the latest upgrade content for the RSA netwitness-11.4.1.1.zip.
    The following is the structure after upgrading the external repository:

Task 3: Disable Decoder Services

Before upgrading to 11.4.1.1, you must disable Capture AutoStart on Network Decoder and Network Hybrid Services.

To disable Capture Autostart:

  1. Go to ADMIN > Services.
    The Administration Services view is displayed.
  1. Select a Network Decoder or Network Hybrid service and select > View > Config.
    The services config view for the selected Network Decoder or Network Hybrid is displayed.
  1. In the Decoder Configuration panel, deselect the Capture Autostart and click Apply.

Task 4: Upgrade the Patch

You can choose one of the following upgrade methods based on your internet connectivity.

Online Method (Connectivity to Live Services): Upgrade Using NetWitness User Interface

You can use this method if the NetWitness Server is connected to Live Services and can obtain the package.

Note: If the NetWitness Server does not have access to Live Services, use Offline Method (No connectivity to Live Services): Upgrade using the Command Line Interface . or use Offline Method (No connectivity to Live Services): Upgrade using the NetWitness User Interface

Prerequisites

Make sure that:

  1. The “Automatically download information about new upgrades every day” option is checked and is applied in ADMIN > System > Upgrades.
  2. Go to ADMIN > Hosts > Update > Check for Updates to check for upgrades. The Host page displays the Update Available status.
  3. 11.4.1.1 is available under “Update Version” column.

Note: If you have custom certs, move any custom certs from /etc/pki/nw/trust/import/ directory to /root/cert. Follow these steps to move the certs:
1.) mkdir /root/cert.
2.) mv /etc/pki/nw/trust/import/* /root/cert.

Procedure

  1. Go to ADMIN > Hosts.
  2. Select the NetWitness Server (nw-server) host.
  3. Check for the latest updates.
  4. Update Available is displayed in the Status column if you have a version upgrade in your Local Update Repository for the selected host.
  5.  Select 11.4.1.1 from the Update Version column.
    If you:
    • Want to view a dialog with the major features in the upgrade and information on the upgrades click the information icon () to the right of the update version number.
    • Cannot find the version you want, select Update > Check for Updates to check the repository for any available upgrades. If an upgrade is available, the message "New updates are available" is displayed and the Status column upgrades automatically to show Update Available. By default, only supported upgrades for the selected host are displayed.
  6. Click Update > Update Host from the toolbar.
  7. Click Begin Update.
  8. Click the Reboot Host when prompted.
  9. Repeat steps 6 to 8 for other hosts.

Note: You can select multiple hosts to upgrade at the same time only after upgrading and rebooting the NetWitness Admin server. All ESA, Endpoint, and Malware Analysis hosts should be upgraded to the same version as that of NW Admin Server or NetWitness Admin Server.

Note: Not all components have been changed for 11.4.1.1, so after you perform the upgrade steps, it is normal to see some components with different version numbers. For a list of the components that were upgraded for this release, see Build Numbers.

Offline Method (No connectivity to Live Services): Upgrade using the Command Line Interface

You can use this method if the NetWitness Server is not connected to Live Services.

Note: Alternatively, you can upgrade using the Offline Method (No connectivity to Live Services): Upgrade using the NetWitness User Interface.

Prerequisites

Make sure that you have downloaded the RSA NetWitness Platform 11.4.1.1 Upgrade Pack file, which contain all the NetWitness Platform 11.4.1.1 upgrade files, from the RSA Link https://community.rsa.com/community/products/netwitness/114/downloads to a local directory.

  • If you are upgrading from an 11.2.x.x or 11.3.x.x to 11.4.1.1, download netwitness-11.4.0.0.zip, netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip.
  • If you are upgrading from an 11.4.0.x to 11.4.1.1, download netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip.
  • If you are upgrading from 11.4.1.0 to 11.4.1.1, download netwitness-11.4.1.1.zip.

Procedure

You need to perform the upgrade steps for NW Admin servers and for component servers.

Note: If you copy paste the commands from PDF to Linux SSH terminal, the characters do not work. It is recommended to type the commands.

  • If you are upgrading from 11.2.x.x or 11.3.x.x to 11.4.1.1, you must stage 11.4.0.0, 11.4.1.0 and 11.4.1.1. Log into the /root directory of the Admin NetWitness Server and create the following directories:
    /tmp/upgrade/11.4.0.0
    /tmp/upgrade/11.4.1.0
    /tmp/upgrade/11.4.1.1
    and then copy the package zip files to the /root directory of the Admin server and extract the package files from /root to the appropriate directories:
    unzip netwitness-11.4.0.0.zip -d /tmp/upgrade/11.4.0.0
    unzip netwitness-11.4.1.0.zip -d /tmp/upgrade/11.4.1.0
    unzip netwitness-11.4.1.1.zip -d /tmp/upgrade/11.4.1.1
  • If you are upgrading from 11.4.0.x to 11.4.1.1, you must stage 11.4.1.0 and 11.4.1.1. Log into the /root directory of the Admin NetWitness Server and create the following directories:
    /tmp/upgrade/11.4.1.0
    /tmp/upgrade/11.4.1.1
    and then copy the package zip files to the /root directory of the Admin server and extract the package files from /root to the appropriate directories:
    unzip netwitness-11.4.1.0.zip -d /tmp/upgrade/11.4.1.0
    unzip netwitness-11.4.1.1.zip -d /tmp/upgrade/11.4.1.1
  • If you are upgrading from 11.4.1.0 to 11.4.1.1, you only need to stage 11.4.1.1. Log into the /root directory of the Admin NetWitness Server and create the following directory:
    /tmp/upgrade/11.4.1.1
    and then copy the package zip files to the /root directory of the Admin server and extract the package files from /root to the /tmp/upgrade/11.4.1.1 directory:
    unzip netwitness-11.4.1.1.zip -d /tmp/upgrade/11.4.1.1

Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  1. Initialize the upgrade, using the following command:
    upgrade-cli-client –-init --version 11.4.1.1 --stage-dir /tmp/upgrade
  2. Upgrade Netwitness Server, using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.4.1.1
  3. When the component host upgrade is successful, reboot the host from NetWitness UI.
  4. Repeat steps 4 and 5 for each component host, changing the IP address to the component host which is being upgraded.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on the NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Contacting Customer Care.

External Repo Instructions for CLI Upgrade

Note: The external repo should have separate directories for 11.4.0.0, 11.4.1.0 and 11.4.1.1, as described in Offline Method (No connectivity to Live Services): Upgrade using the Command Line Interface .

  1. Stage 11.4.1.1 by creating a directory on the NetWitness Server at /tmp/upgrade/11.4.1.1 and extract the zip package.
    unzip netwitness-11.4.1.1.zip -d /tmp/upgrade/11.4.1.1

Note: If you copied the .zip file to the created staging directory to unzip, make sure that you delete the initial .zip file that you copied to the staging location after you extract it.

  1. Initialize the upgrade, using the following command:
    upgrade-cli-client –-init --version 11.4.1.1 --stage-dir /tmp/upgrade
  2. Upgrade Netwitness Server, using the following command:
    upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.4.1.1
  3. When the component host upgrade is successful, reboot the host from NetWitness UI.
  4. Repeat steps 3 and 4 for each component host, changing the IP address to the component host which is being upgraded.

Note: You can check versions of all the hosts, using the command upgrade-cli-client --list on NetWitness Server. If you want to view the help content of upgrade-cli-client, use the command upgrade-cli-client --help.

Note: If the following error displays during the upgrade process:
2017-11-02 20:13:26.580 ERROR 7994 — [ 127.0.0.1:5671] o.s.a.r.c.CachingConnectionFactory : Channel shutdown: connection error; protocol method: #method<connection.close>(reply-code=320, reply-text=CONNECTION_FORCED - broker forced connection closure with reason 'shutdown', class-id=0, method-id=0)
the patch will install correctly. No action is required. If you encounter additional errors when upgrading a host to a new version, contact Contacting Customer Care.

Offline Method (No connectivity to Live Services): Upgrade using the NetWitness User Interface

The following rules apply when you apply version upgrades:

  • You must upgrade the NW Server host first.
  • You can only apply a version that is compatible with the existing host version.

Caution: The offline User Interface method is only available if you are upgrading a host from 11.3.1.0, 11.3.1.1, 11.3.2.0, 11.3.2.1, or 11.4.1.0 to 11.4.1.1. If you are upgrading a host on an earlier version, you must use the Offline Method (No connectivity to Live Services): Upgrade using the Command Line Interface method. After you complete Step 5 in Offline Method (No connectivity to Live Services): Upgrade using the NetWitness User Interface, go to Upgrading from 11.3.1.0, 11.3.1.1, 11.3.2.0, 11.3.2.1, or 11.4.1.0 to 11.4.1.1.

Caution: If you are upgrading a host from 11.4.0.0 or 11.4.0.1 to 11.4.1.1 using the offline User Interface method, in Step 5 of Offline Method (No connectivity to Live Services): Upgrade using the Command Line Interface , the upgrade will fail with the message Download error. You can still complete the upgrade successfully by following the steps in Upgrading from 11.4.0.0 or 11.4.0.1 to 11.4.1.1 .

Task 1. Populate Staging Folder (/var/lib/netwitness/common/upgrade-stage/) with Version Updates

 

    • If you are upgrading from 11.3.1.0 or later to 11.4.1.1, download the netwitness-11.4.0.0.zip, netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip upgrade package from RSA Link to a local directory.

 

    • If you are upgrading from 11.4.0.x to 11.4.1.1, download the netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip upgrade package from RSA Link to a local directory.

 

  • If you are upgrading from 11.4.1.0 to 11.4.1.1, download the netwitness-11.4.1.1.zip upgrade package from RSA Link to a local directory.
  1. SSH to the NW Server host.
  2. If you are upgrading from 11.3.1.0 or later to 11.4.1.1, copy netwitness-11.4.0.0.zip, netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder.

    sudo cp /tmp/netwitness-11.4.0.0.zip /var/lib/netwitness/common/update-stage/
    sudo cp /tmp/netwitness-11.4.1.0.zip /var/lib/netwitness/common/update-stage/
    sudo cp /tmp/netwitness-11.4.1.1.zip /var/lib/netwitness/common/update-stage/

  1. If you are upgrading from 11.4.0.x or later to 11.4.1.1, copy netwitness-11.4.1.0.zip and netwitness-11.4.1.1.zip from the local directory to the /var/lib/netwitness/common/update-stage/ staging folder.

    sudo cp /tmp/netwitness-11.4.1.0.zip /var/lib/netwitness/common/update-stage/
    sudo cp /tmp/netwitness-11.4.1.1.zip /var/lib/netwitness/common/update-stage/

  1. If you are upgrading from 11.4.1.0 to 11.4.1.1, copy netwitness-11.4.1.1.zip from the local directory to the /var/lib/netwitness/common/upgrade-stage/ staging folder. For example:

    sudo cp /tmp/netwitness-11.4.1.1.zip /var/lib/netwitness/common/update-stage/

    NetWitness Platform unzips the file automatically.

Task 2. Apply Updates from the Staging Area to Each Host

Caution: You must upgrade the NW Server host before upgrading any Non-NW Server host.

  1. Log in to NetWitness Platform.
  2. Go to ADMIN > HOSTS.
  3. Check for updates and wait for the update packages to be copied, validated, and ready to be initialized.

    "Ready to initialize packages" is displayed if:

    • NetWitness Platform can access the update package.
    • The package is complete and has no errors.

    Refer to Troubleshooting Version Installations and upgrades for instructions on how to troubleshoot errors (for example, "Error deploying version <version-number>" and "Missing the following update package(s)," are displayed in the Initiate Update Package for RSA NetWitness Platform dialog.)

  4. Click Initialize Update.

    It takes some time to initialize the packages because the files are large and need to be unzipped.
    After the initialization is successful, the Status column displays Update Available and you complete the rest of the steps in this procedure to finish the update of the host.

  5. Click Update > Update Hosts from the toolbar.

  6. Click Begin Update from the Update Available dialog.

    After the host is upgraded, it prompts you to reboot the host.

  7. Click Reboot from the toolbar.

Upgrading from 11.3.1.0, 11.3.1.1, 11.3.2.0, 11.3.2.1, or 11.4.1.0 to 11.4.1.1

After you click Update Hosts in step 5, complete these steps:

  1. Click Begin Update from the Update Available dialog.
    After the host is upgraded, it prompts you to reboot the host.
  2. Click Reboot Host from the toolbar.

Upgrading from 11.4.0.0 or 11.4.0.1 to 11.4.1.1

After you click Update Hosts in step 5, the upgrade will fail with the message Download error. You can successfully complete the upgrade by following these steps.

  1. In the Command Line Interface (CLI):

    1. SSH to NW Server.

    2. Run the following command:
      upgrade-cli-client –-upgrade --host-addr <IP of Netwitness Server> --version 11.4.1.1
  2. After the NW Server is successfully updated, log in to the NW Server user interface and go to Admin > HOSTS, where you are prompted to reboot the host.
  3. Click Reboot Host from the toolbar.

You can upgrade all the other hosts directly from the user interface:

  1. Click Begin Update from the Update Available dialog.
    After the host is upgraded, it prompts you to reboot the host.
  2. Click Reboot Host from the toolbar.

Post-Upgrade Tasks

This topic is divided into two sections, based on the version that you are upgrading from:

Post Upgrade Tasks for Customers Upgrading from version 11.4.1.0

Post Upgrade Tasks for Customers Upgrading from version 11.2.x.x or 11.3.x.x or 11.4.0.x

Post Upgrade Tasks for Customers Upgrading from version 11.4.1.0

Task 1 - Upgrade HIVE version

Note: If you already installed customized HIVE RPMs in 11.2.1 or later, you can skip this task

After you upgrade to 11.4.1.1, you need to upgrade the HIVE version that is compatible with Warehouse. To install the latest HIVE version, run the following commands on the NetWitness admin server and restart the Reporting Engine service. Download the latest HIVE RPMs from https://community.rsa.com/docs/DOC-109473.

  1. To install HIVE 0.12 version, run the following command:

    rpm -ivh rsa-nw-hive-jdbc-0.12.0-1.x86_64.rpm

  2. To Install HIVE 1.0 version, run the following command:

    rpm -ivh rsa-nw-hive-jdbc-1.0.0-1.x86_64

Task 2 (Optional) - Move the custom certs

Move the custom certs from external directory to /etc/pki/nw/trust/import directory.

Task 3 - Enable Decoder Services

After you upgrade to 11.4.1.1, you must enable Capture AutoStart on Network Decoder and Network Hybrid Services.

To enable the Capture Autostart field:

  1. Go to ADMIN > Services.

    The Administration Services view is displayed.

  2. Select a Network Decoder or Network Hybrid service and select > View > Config.

    The services Config view for the selected Network Decoder or Network Hybrid is displayed.

  3. In the Decoder Configuration panel, select the Capture Autostart field and click Apply.

Post Upgrade Tasks for Customers Upgrading from version 11.2.x.x or 11.3.x.x or 11.4.0.x

Perform all the post upgrade tasks mentioned in Upgrade Guide for RSA NetWitness Platform 11.4.1.0.

Product Documentation

The following documentation is provided with this release.

DocumentLocation
NetWitness Platform 11.4 Product Documentation

RSA NetWitness Platform 11.4 Product Documentation

NetWitness Platform Hardware Setup Guides

RSA NetWitness Hardware Setup Guides

RSA Content for NetWitness Platform

RSA Content for the RSA NetWitness Platform

Known Issues

Issues that remain unresolved in this release are documented here: RSA NetWitness Platform Known Issues. Wherever a workaround is available, it is noted or referenced in detail.

Feedback on Product Documentation

You can send an email to sahelpfeedback@emc.com to provide feedback on RSA NetWitness Platform documentation.

Support Information

There are several options that provide you with help as you need it for installing and using NetWitness Platform:

If you contact Customer Care, you should be at your computer. Be prepared to give the following information:

  • The version number of the RSA NetWitness Platform product or application you are using.

  • The type of hardware you are using.

Use the following contact information if you have any questions or need assistance.

RSA Linkhttps://community.rsa.com In the main menu, click My Cases.
International ContactsHow to contact RSA Customer Support
CommunityRSA Customer Support

Basic Support

Technical Support for your technical issues is available from 8 AM to 5 PM your local time, Monday through Friday.

Enhanced SupportTechnical Support is available by phone 24 x 7 x 365 for Severity 1 and Severity 2 issues only.

 

You are here

Release Notes for NetWitness Platform 11.4.1.1

Attachments

    Outcomes