BigFix 10.0 Patch 9 is now available!

adinia 2023-03-20 20:59:57 UTC #1

The BigFix Team is pleased to announce the release of version 10 Patch 9 (10.0.9.21) of BigFix Platform. The main features in this release are as follows:

CORE PLATFORM
Improved certificate management for HTTPS downloads
This release introduces a more flexible management of the CA bundles used in HTTPS downloads. For details, see Customizing HTTPS for downloads and Download

CLOUD
MongoDB dependency removal from Plugin Portal
BigFix Platform 10.0 Patch 9 helps to reduce the total cost of ownership of a BigFix deployment by removing the Plugin Portal dependency from MongoDB for cloud related scenarios. The Plugin Portal can now be installed or upgraded without the need to have MongoDB. In case of Plugin Portal upgrades, reports stored in MongoDB will be automatically migrated to the SQLite database tables. For details see The Plugin Portal.

Note that BigFix Modern Client Management / Mobile V2.1 application still requires MongoDB; if you are using this application, you cannot uninstall MongoDB after upgrading the Plugin Portal to version 10.0.9. The same applies if you are using the MongoDB instance for any non-BigFix-related purpose

Support for AWS IMDSv2
The BigFix Agent is now able to retrieve properties for the Amazon Web Services (AWS) instances that are configured to use AWS IMDSv2 protocol. This allows to further enhance the security level of AWS instances by restricting IMDS usage to v2 only (IMDS v1 disabled) without any side effect on the BigFix deployment. For more details see: Correlated Devices

Added support for:

Rocky Linux 9 (Agent)
Oracle EL 9 (Agent)
RHEL 9 ppc64le (Agent)
For more detail, see Detailed System Requirements

Upgrade of the following libraries:

The cURL library was upgraded to Version 7.88.1
The OpenSSL library was upgraded to Version 1.0.2zg

Defect Articles (DA), defect fixes and Serviceability enhancements

Additional information about this release

The standalone BigFix tools are published under the 10.0 Utilities section in BigFix Enterprise Suite Download Center.
A Non-Functional Requirements checklist, covering both performance and security management of your BigFix deployment, is available at BigFix Performance & Capacity Planning Resources

References

See the full technical changelist

Pre-Upgrade Considerations

This release includes all the BigFix Platform components. It also includes the Plugin Portal that enables the Multicloud and Modern Client Management capabilities.
The unixODBC RPM package is a prerequisite for the Server components on Linux systems (see Server Requirements). This applies to version 10.0.2 and later.
Upgrade paths to BigFix 10 begin with v9.5.10 or later. For details, see Upgrading on Windows systems and Upgrading on Linux systems.
For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 10, see Detailed System Requirements.
Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as Web Reports, WebUI, BigFix Inventory, or BigFix Compliance).

Useful links

Upgrade Fixlets are available in BES Support version 1477 (or later).

– HCL BigFix – Platform Team

Upgrade Windows BigFix From 10.0.2 to 10.0.9

vk.khurava 2023-03-20 21:23:02 UTC #2

Both shared links are not working, its saying “page not found”

lesposito 2023-03-20 21:34:44 UTC #3

It might take some more time to propagate, it will be monitored, thanks for advising

orbiton 2023-03-21 07:27:58 UTC #4

Links are still not available

lesposito 2023-03-21 08:12:19 UTC #5

Yes, it might take up to 24h - thanks for checking

adinia 2023-03-21 08:48:50 UTC #6

adinia 2023-03-21 09:17:33 UTC #7

Links are now working. Thx for your patience

adinia 2023-03-21 09:18:02 UTC #8

Security bulletin related to this release will be published no later than Thursay, March 23rd.

MatthiasW 2023-03-22 11:45:26 UTC #9

There have been some issues with patch 8, eg. Site issues, SCA import failures etc.
Are those issues fixed within Patch 9?
As my prod system is still on patch 7 I’m thinking about directly going to Patch 9 and skip 8.

JasonWalker 2023-03-22 12:48:22 UTC #10

I hadn’t heard about SCA import failures due to Patch 8, but for the other things, generally what changes in patch 9 makes them easier to resolve but still read the carefully the “Customizing HTTPS for downloads” link @adinia posted above.

The “Failed Downloads due to HTTPS Verification” is unfortunately an intended effect of hardening our HTTPS defaults to be more secure. If you are only downloading from public sites using publicly-trusted certificates, you should be able to upgrade to 10.0.9 without issue.

However if you are using any self-signed or internally-issued certificates for downloads, there are some configurations you’ll need to make. In most deployments this includes Inventory Catalog downloads (where the Root Server downloads a catalog from your BFI server, and the BFI server is using the default self-signed certificates or one issued internally by your org); or you host your own downloads on an internal web server; or you use a Proxy that inspects & rewrites the TLS session with its own certificates. In those cases, you’ll need to update your server’s Certificate Trust Store to include trusts for your certificates (to maintain the more secure TLS authentication), or set _BESRelay_Download_UntrustedSites to 1 (to relax the new TLS authentication and behave like 10.0.7, ignoring the ‘untrusted certificate’ error and allowing the downloads to proceed.).

Adding your certificates to the certificate trust store is more secure and is preferred; disabling the TLS authentication disables the verification for all sites, and is similar to clicking “Connect anyway” to a browser’s dialog about untrusted certificates. Traditionally this didn’t much matter in a BigFix context, where we automatically validate the downloads’ hash values and can be assured that the download file is what we expected, but the TLS authentication is much more important when we consider some dynamic download options.

mikelbeck 2023-03-22 14:20:36 UTC #11

JasonWalker:

However if you are using any self-signed or internally-issued certificates for downloads, there are some configurations you’ll need to make. In most deployments this includes Inventory Catalog downloads (where the Root Server downloads a catalog from your BFI server, and the BFI server is using the default self-signed certificates or one issued internally by your org); or you host your own downloads on an internal web server; or you use a Proxy that inspects & rewrites the TLS session with its own certificates. In those cases, you’ll need to update your server’s Certificate Trust Store to include trusts for your certificates (to maintain the more secure TLS authentication), or set _BESRelay_Download_UntrustedSites to 1 (to relax the new TLS authentication and behave like 10.0.7, ignoring the ‘untrusted certificate’ error and allowing the downloads to proceed.).

I found that in order for the BFI catalog download to work properly in 10.0.8, _BESRelay_Download_UntrustedSites had to be set to 1.

We use certificates issued by our internal PKI. Are you saying that there is another certificate that the BFI server uses for downloads?

JasonWalker 2023-03-22 15:27:00 UTC #12

No, I’m saying that the BES Root Server downloads the catalog from the BFI server… this version of the catalog contains both the default software detections along with any custom signatures you’ve added to Inventory. When the Root Server performs this download from the BFI server, it needs to either trust the certificate presented by the BFI server (by adding your internal PKI to the root server’s trusted certificate store), or ignore the untrusted certificate error (by setting _BESRelay_Download_UntrustedSites to ‘1’ as you did).

mikelbeck 2023-03-22 15:37:22 UTC #13

Ah, OK.

What I found was that none of the clients would start the catalog download until I set _BESRelay_Download_UntrustedSites to 1 on the root server.

Like I said earlier the certificates we use are issued by our internal PKI, the root & intermediates are trusted by all of the BigFix servers and the majority of the clients.

Should I be able to set it back to 0 once I’ve upgraded to 10.0.9?

JasonWalker 2023-03-22 15:40:36 UTC #14

You should be able to set it back to 0, but may still need to add your internal PKI to the BigFix certificate trust stores. BigFix does not use the operating systems’ trust store, you’ll need to follow the instructions at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_customizing_HTTPS_downloads.html to add your PKI to .crt or .pem files to <StorageFolder>/TrustedDownloadCerts or setting _BESRelay_Download_CaCertDirectory and/or _BESClient_Download_CaCertDirectory to custom paths and adding your .crt / .pem files there.

MatthiasW 2023-03-23 14:03:19 UTC #16

For the first look, everythings seems running fine, including downloads. Thanks to team and @JasonWalker for the detailed explanation.

atlauren 2023-03-24 20:42:25 UTC #17

Has this happened?

[forum padding]

JasonWalker 2023-03-24 21:20:06 UTC #18

There’s this one, about issues in some of the open-source libraries we use (curl and OpenSSL) - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103724

I’m not sure whether to expect any additional articles, will await further response from @adinia

ravik 2023-03-27 06:10:54 UTC #19

Hi,
Is there any documentation around DB Schema changes between various BigFix Platform releases?
Maybe it will be a good idea to document the schema changes.

I have a customer who needs to know the specific DB schema changes between 10.0.7.52 and the latest 10.0.9.

regards

JasonWalker 2023-03-27 11:06:19 UTC #20

No, the database schemas are not publicly documented and are expected to change between releases

adinia 2023-03-28 17:15:55 UTC #21

I confirm, that is the one and only security bulletin for this release. Thx.