Availability of BigFix Compliance Analytics version 2.0 Patch 6

HCL BigFix is pleased to announce the release of BigFix Compliance Analytics version 2.0 Patch 6

Product: BigFix Compliance

Title: Availability of BigFix Compliance Analytics version 2.0 Patch 6

Published site: SCM Reporting, version 147

BigFix Compliance Analytics version 2.0 Patch 6 includes a number of fixes and library updates including JRuby and Rails. New installations will have additional weak cipher suites disabled by default and existing installations can use new Fixlet in SCM Reporting site. Fixes resolve issues dealing with datasource groups, and issue importing from databases with case-sensitive collation.

• JRuby updated to 9.2.20.1 addressing CVE-2021-41817
• Rails updated to 5.2.6.2 addressing CVE-2022-23633

Actions to take:

1. To take advantage of the fixes, upgrade BigFix Compliance Analytics to version 2.0.6.
2. Deploy Fixlet 1010 from SCM Reporting Fixlet site to disable weak cipher suites

For first time installation:

1. In the License Overview Dashboard in the BigFix console (BigFix Management domain), enable the SCM Reporting site.
2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.
3. Select the Fixlet named BigFix Compliance Server 2.0 - First-time Install Fixlet under the BigFix Compliance Install/Upgrade menu tree node.
4. Follow the Fixlet instructions and take the associated action to install your BigFix Compliance deployment.

For upgrade installation: Refer to the prescribed upgrade steps for the BigFix Compliance version that you are using.

IMPORTANT: Before you start any upgrade process, perform a server and database backup.

A. For BigFix Compliance Analytics versions 1.9.x, 1.10.x and 2.0.x:

1. Make sure that you completed the server and database backup.
2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.
3. Under the BigFix Compliance Install/Upgrade menu tree item, select the BigFix Compliance Server 2.0 - Upgrade Fixlet which automatically installs and upgrades to the new version.
4. Follow the Fixlet instructions and take the associated action to upgrade your BigFix Compliance deployment.
5. Update the data schema. To do this, log in to the BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data scheme is expected and it will take some time to complete. NOTE: Automatic upgrade installation only affects installations running under the LocalSystem account. Follow the Fixlet instructions to install the update manually if this fix cannot be applied.

B. For BigFix Compliance Analytics versions prior to 1.9:

1. Manually upgrade to version 1.10.1.48. The 1.10.1.48 installer can be found here http://software.bigfix.com/download/bfc/server/1.10/bfc-server-1.10.1.48.exe
2. After manually upgrading to version 1.10.1.48, use the BigFix Compliance Server 2.0 Upgrade Fixlet to upgrade to version 2.0 (See step A).

More information:

• BigFix Compliance Guides: https://help.hcltechsw.com/bigfix/10.0/compliance/analytics.html
• BigFix Forums - Release Announcements Channel: https://forum.bigfix.com/c/release-announcements/compliance

BigFix Compliance team
HCL BigFix

For this update do you have information whether it fixed any security issues that are rated Critical or High?

I downloaded the update to look at the files, and see JRuby files with jruby-xxx-9.2.20 in their names. JRuby has a page showing they fixed security issues in versions below 9.2.20.
https://www.jruby.org/2021/12/01/jruby-9-2-20-1
and the JRuby version had a CVE that is rated High by NIST.

Do you know if Compliance was vulnerable to this issue, and if so does this update fix it?

Yes, I’ve updated this post with that info. We updated JRuby and Rails and those updates address CVE-2021-41817 and CVE-2022-23633

Thanks for the updated information. Since this confirms the issues are rated High we have our own guideline for getting them tested and deployed to our BigFix installations.

Does this version require an update Schema? I did the upgrade and everything went well but update schema page didn’t show up. I upgraded mine from 2.0.5.