Reset Search
 

 

Article

Are Extreme Networks products vulnerable to VN-2015-002 Leap Second?

« Go Back

Information

 
TitleAre Extreme Networks products vulnerable to VN-2015-002 Leap Second?
Question
Are Extreme Networks products vulnerable to VN-2015-002 Leap Second?
Environment
  • ExtremeXOS (EXOS) 15.X.X and 16.1
  • X-Series Secure Core Router
  • Security Information & Event Manager
  • Summit WM3000 Series
Answer
Vulnerable Products
  • EXOS 15.X.X and 16.1.X
  • X-Series Secure Core Router
The vulnerability for the following products have currently not been determined:
  • Security Information & Event Manager
  • Summit WM3000 Series
All other Extreme Networks products are NOT vulnerable to VN-2015-002.

EXOS Vulnerability

All products that run ExtremeXOS (EXOS) software are vulnerable to VN-2015-002 Leap Second if NTP is configured and enabled on the switch.  NOTE: SNTP is not affected by this vulnerability.
  • Vulnerable Component: Kernel
  • Conditions when component vulnerability occurs: While logging a leap second via printk, kernel deadlock can occur due to bad locking.
  • Product version(s) affected: All EXOS products
  • Workaround: Disable ntpd for at least 24 hours before leap second period (command: "disable ntp".)
  • Target Fix Release: EXOS 16.2.1     See:  VN 2015 002 Leap Second
  • Target Fix Timeframe: March, 2016
X-Series Secure Core Router
  • Vulnerable Component: TBD
  • Describe conditions when component Vulnerability occurs (why/when/how): When the Linux kernel processes a NTP add second or delete second event, it may suffer a deadlock while trying to log an informational message.  The chances of this may be greater when a system is busy.
  • Product version(s) affected: All active X-Series releases use a vulnerable Linux kernel version.
  • Workaround: Disable NTP at least 24 hours before the date of each upcoming leap second. Wait a day after the leap second and then re-enable NTP.
  • Target Fix Release: TBD
  • Target Month for Fix Release: TBD
Further details can be found in the official vulnerability notice: VN 2015 002 Leap Second
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255