New OXE Features Introduced in OXE R12.4/M5.204.2.b/M5.204.7.c

Technical Bulletin OmniPCX Enterprise
TC2717-Ed03 Release 12.4/M5.204
New OXE features introduced in OXE

R12.4/M5.204.2.b/M5.204.7.c
This document provides the description including management of new features delivered in OXE version M5. Refer also to the
system documentation.
Revision History
Edition 01: April 17th, 2020 gathering all features from previous editions released during
beta campaign. Document published & transformed into ed.01
Edition 02: May 27th, 2020 changes in: chap. 2.1 & 2.2 (Dect + Wlan sets)
Edition 03: July 6th, 2020 adding info in: chap. 2.1.3 (Dect) + features brought in MD1
patch
Legal notice:
www.al-enterprise.com The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE. To view other
trademarks used by affiliated companies of ALE Holding, visit: www.al-enterprise.com/en/legal/trademarks-copyright. All other
trademarks are the property of their respective owners. The information presented is subject to change without notice. Neither
ALE Holding nor any of its affiliates assumes any responsibility for inaccuracies contained herein.
© Copyright 2020 ALE International, ALE USA Inc. All rights reserved in all countries.
Table of contents
1 R12.4 / M5.204 ................................................................................................................................ 4
2 New Hardware ................................................................................................................................. 4
2.1 Support of new DECT set 8254 (MD1) .................................................................................. 4

2.1.1 Interaction with older OXE releases ....................................................................................... 4
2.1.2 Tools ................................................................................................................................... 4
2.1.3 Installation........................................................................................................................... 5
2.2 New MIPT sets 8158s & 8168s (MD1) .................................................................................. 6
2.2.1 Registration ......................................................................................................................... 7
2.2.2 Features provided ................................................................................................................ 7
2.2.3 Binaries management ........................................................................................................... 7
2.2.4 Firmware upgrade ................................................................................................................ 8
2.2.5 Maintenance ........................................................................................................................ 8
3 New Features in M5.204.2.B.............................................................................................................. 9
3.1 TELEPHONY ............................................................................................................................ 9

3.1.1 4645 - Solve missing voice prompts issue for years 2021 and beyond ...................................... 9
3.1.2 8088 - remove the "new call" softkey when being in conversation ........................................... 9
3.1.3 8088 - In the info screen, leave only the name and phone number information ..................... 11
3.1.4 Automatic agent logout when set out of service ................................................................... 13
3.1.5 Call to Tandem group (deskphone & DECT) with MLPP rights must take priority on sets status –
MD1 ........................................................................................................................................... 13
3.1.6 Casual Conference for CCD Agents ...................................................................................... 13
3.1.7 Creation of Serbian country variant ..................................................................................... 14
3.1.8 Desk sharing: avoid reboot when log on – log off ................................................................. 14
3.1.9 Display information on Tandem Set ..................................................................................... 14
3.1.10 Emergency notification ..................................................................................................... 16
3.1.11 Take "IP Softphone Emulation” ......................................................................................... 16
3.1.12 MLPP: call to tandem group (deskphone + DECT) with MLPP rights MUST take priority on Sets
Status ........................................................................................................................................ 17
3.2 SIP TRUNKING ..................................................................................................................... 18
3.2.1 DTLS Server server identity (IP) should be checked against the identity certified within the
EGW/CS TLS certificate, in either DN or SAN fields........................................................................ 18
3.2.2 SIP Trunking: Cost free call waiting time ............................................................................. 18
3.2.3 Session Timer per SIP gateway ........................................................................................... 19
3.3 CLOUD CONNECT/RAINBOW .............................................................................................. 19
3.3.1 Cloud Connect refactoring tool “CCTool” .............................................................................. 19
3.3.2 Cloud Connect features....................................................................................................... 20
3.3.3 Command for testing web sockets connections for XMPP and SOCKS5 towards Cloud Connect &
Rainbow ..................................................................................................................................... 20
3.3.4 Remote OXE console on Fleetdashboard .............................................................................. 21
3.3.5 Serviceability Cloud Connect - Monitoring incidents of the Cloud Connect XMPP link ............... 22
3.4 SECURITY ............................................................................................................................. 23
3.4.1 Connect OXE to a domain (especially Rainbow) while being in "trusted hosts mode ................ 23
New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Copyright © ALE International 2020 page 2/51
3.4.2 Migration Thales encryption to Native encryption (automatic procedure – MD2) ..................... 25
3.4.3 Native Encryption - SIP TLS: mutual TLS authentication for SIP separated ............................. 29
3.4.4 Update OXE Security Check Tool ......................................................................................... 29
3.4.5 Update Linux kernel to 2.6.32-754.24.2 + new openSSH for security vulnerabilities (MD1) ..... 31
3.4.6 Various security fixes .......................................................................................................... 32
3.5 SYSTEM/INFRA .................................................................................................................... 41
3.5.1 Native compatibility of Lenovo x3250-M6 & HP DL20 G9 & HP DL320e G8v2 for OXE R12.4 .... 41
3.5.2 New dongle: take into account new Flex Version .................................................................. 41
3.5.3 Support of new Hyper-V release Server 2019 (MD1) ............................................................. 42
3.5.4 SUSE Patch upgrade support for GAS (concerns the HOST) .................................................. 42
3.5.5 UPS on GAS (minimum version 8.04) ................................................................................... 42
3.5.6 Web RTC GW on OXE A/S Generic ....................................................................................... 45
3.6 MAINTENANCE/TOOLS ........................................................................................................ 45
3.6.1 Have different incidents between hard-phone and IPDSP ...................................................... 45
3.6.2 Easy installation of OXE ...................................................................................................... 47
3.6.3 WBM: search functionality (MD1) ........................................................................................ 50

1 R12.4 / M5.204
List & description of the features delivered in M5.204
This document covers the features brought in 1rst release of OXE R12.4 (M5.204.2.b) plus in first patch
MD1 (M5.204.7.c)
Features brought in MD patches are tagged MDx at the end of the sub-title.
2 New Hardware
2.1 Support of new DECT set 8254 (MD1)

This new DECT handset type is supported on IBS, RBS and xBS systems. It is also supported on IP-DECT
systems with some restrictions.
2.1.1 Interaction with older OXE releases

The new DECT handset 8254 is supported from R12.3 release (M4) under the following conditions:
- Can be registered on release 12.3.x but is seen as 8232 type. After migration in R12.4 & above it will be still
seen as a 8232.
- Telephonic features are fully supported
- Tools display these handsets as MR300/400
- Software upgrade is not available nor activated for these phones
- Even if this phone is seen as MR300/400, it is compatible with xBS (which is contrary to real MR300/400,
whose hardware are incompatible with xBS)
If sets were installed in R12.3.x after migration they have to be re-registered to take advantage of SUOTA
& maintenance tools. As a telephonic point of view, they will work the same.
2.1.2 Tools
“dectsets” tool is modified to update the type of 8254 handset
"termstat" tool is modified to update the type of 8254 handset
“downstat m” is the tool used to follow the status of DECT sets download in SUOTA. This tool is adapted
to support for new DECT handset types.

2.1.3 Installation
Installation is similar to what has to be done in the previous range (use “dectinston” tool). On the set
screen, a selection about the functioning mode of the set can be seen:
Keep the default mode “8254” for oxe Release 12.4

Version of the firmware in the .7.c oxe patch is V40.85 B00.05 (as seen in tool “dectsets”). It is also the
version that is loaded in factory at the date of this document.

2.2 New MIPT sets 8158s & 8168s (MD1)
The new MIPT 8158s and 8168s handsets can provide the same level service as the existing 81x8
handsets. The entry level model is the 8158s and high-end level is 8168s model. The 8158s is similar to
the existing 8118 and 8168s is similar to the existing 8128. The new handsets (8158s and 8168s) differ
from 81x8 only with respect to the software version. The user would be created as MIPT and then will be
recognized as the new phone set after registration

2.2.1 Registration
The registration process is similar to the registration of 81x8 handsets. The registration process can get
the hardware type of the set from NOE protocol which would be sent by 8158s and 8168s set to
recognize its own identity. The new handsets have their unique binaries that differ from 8118 and 8128
handsets. The new binaries would be managed by OXE TFTP server which can download the software to
the specific handset.
2.2.2 Features provided

The new handsets will provide the same features as 81x8 handsets. No new features are introduced for
81x8s.
2.2.3 Binaries management

The handsets have their own binary files which would be managed and downloaded to the specific sets
based on the stored hardware type. The firmware version 1.00.xx is used for the new handsets.
Similar to 81x8, the firmware of 81x8s will not include a DHS3 header, so a specific header file named
“mipt8r2bin” has been introduced, which has exactly same format defined as “mipt8r1bin” for 81x8
handsets.

Both 8158s and 8168s have the same binary file, which is 81x8s.bin. The binary file is located in the
following path:
/DHS3bin/downbin/wifi/mipt8r2bin
2.2.4 Firmware upgrade

For a firmware update by OXE the parameter Reset for Update Authorized should be put to Yes & the
setting on the set “…TFTP upgrade = IP TFTP or 0.0.0.0” (OXE TFTP main cpu)
Update by DM (WinPDM / IMS3) the parameter Reset for Update Authorized should be put to No &
the setting on the set: “…TFTP upgrade = 255.255.255.255”
For backward compatibility in R12.2 & R12.3.1 (only) a specific level of oxe patch has to be installed so
the system gets the possibility to update the firmware as well as in R12.4 Today there is no plan to
backport the tools related to identify those new sets. If a set is installed in a patch that does not have
this possibility it is important to set the parameter Reset for Update Authorized to “No” to avoid a
reset of the MIPT in loop.
2.2.5 Maintenance
There is no specific MAO set type for the new handsets. The type of the MIPT set used will only be seen
by maintenance tools. No new tool would be added for 8158s and 8168s set maintenance. The following
are the tools that can be used to get the information of MIPT sets.
 miptsets
 miptview
 ippstat
 tradna
 readkey
 tftp_check
 tradeq
 eqstat
 termstat
 listerm
Note: The “edsbr” tool displays the type as MIPT_300 for 81x8. The same behavior is also applicable for
81x8s.
Firmware version of the set for the M5.204.7.c patch (MD1) is: 2.02.09

3 New Features in M5.204.2.B
3.1 TELEPHONY
3.1.1 4645 - Solve missing voice prompts issue for years 2021 and beyond
We have voice guides from 2000 to 2020 to indicate the year:
If you are in January 2020 and listen to a VG recorded in December 2019, the voice guide will indicate
the year also.
If you are in Jan 2022 and listen to a VG from December 2021, we do not have a voice guide to indicate
2021 and there will be an incident.
We have decided to not create new VG for years after 2020 and we shall remove the incident.
3.1.2 8088 - remove the "new call" softkey when being in conversation
The objective of this feature is to avoid all actions such as Park the call, New call, Put on hold, Forbid
Camp On, Hold via lineman key when user is in conversation
Existing Behavior:
The display in the NOE Conversation page of a user generally displays the caller/callee details and
conversation time along with the soft keys such as Park the call, New call, Put on hold, Forbid Camp On,
Hold via lineman key. The soft keys are appearing based on rights configured in Phone COS. The user has
control over the call using configured soft keys.
Fig 1 Existing display of NOE Conversation page
Enhancement:
This feature is proposed to control the enquiry call and other features accessible through rights which
have been configured in Phone COS when user being in conversation. A new parameter is introduced in
Alcatel-Lucent 8&9 series Phone COS for this feature. If this parameter is enabled then no actions are
allowed except call release (on hook). Additionally, the hold via lineman key also not possible for this

feature. If this parameter is disabled then we will have the default display for conversation in the set
with soft keys according to Phone COS.
Note:
This feature is common for all type of NOE (8&9 series) sets.
This feature is applicable only for basic users and not for advanced users such as Attendant,Agent,Hotel
This feature is applicable only for NOE sets.
Configuration procedure:
For this feature a new parameter “Forbid all actions, softkey in conv” is introduced in the path Mgr->Alcatel-Lucent
8&9 series->8&9 Series COS->Phone COS.The default value of parameter is FALSE.

MAO parameter - New Phone COS
Help text in GEA for Forbid all actions, softkey in conv parameter:
3.1.3 8088 - In the info screen, leave only the name and phone number information
A new parameter "INFO tab: limited display" has been added as a part of this feature.

8088 (Linux) - In the info screen, leave only the name and phone number information”
Existing Behavior
The display in the NOE INFO page of a user generally displays the set feature related status information
(example: no. of new messages, no of non-replied calls) along with the name and phone number of the
user.
Fig 2 Existing display of INFO page
Enhancement
This feature is proposed to display the name and phone number alone in the NOE INFO page of the user.
A new parameter is introduced in Alcatel-lucent 8&9 Series, Phone COS. If this parameter is enabled then
name and phone number alone is displayed in the NOE INFO page of the user. If this parameter is
disabled then we will have the default display in the set with all the set feature related status
information.
Note:
This feature is common for all type of NOE sets: IP/TDM and also IPDSP.
When the parameter is modified the set must be rebooted to get the info screen changed.

Fig 3 INFO page display – enhancement
3.1.4 Automatic agent logout when set out of service

Automatic Log-Off of an out of service IPDSP ACD Operator only after a delay, managed by the new
system timer No 386.
When IPDSP ACD Operator goes out of service, timer No 386 is started.
If IPDSP ACD Operator returns in service before timer No 386 is expires, nothing is executed.
If timer No 386 expires, Log-Off of IPDSP ACD Operator is automatically executed.
To allow to keep the current way of working, if timer No 386 equals 0, timer No 386 is not started and
then the automatic Log-Off of out of service IPDSP ACD Operator will never been executed.
The automatic Log-Off of the last agent of a processing group is performed even the parameter “Log-Off
last agent” is set to false for this processing group
System Timer No 386: T_AUTOMATIC_LOGOFF_IPDSP_OOS_ACDV
3.1.5 Call to Tandem group (deskphone & DECT) with MLPP rights must take priority on sets
status – MD1
Feature to be described later (MD1 patch)
3.1.6 Casual Conference for CCD Agents

"Casual conference " is already existing for OXE users only.
For CCD Operators only up to three parties conference exists.
From R12.4 onwards, six-party conference is applicable for CCD Operators (Agent, Supervisor-mono,
multi).
Some restrictions are provided for Casual conference of CCD Operators.
* Enquiry call on one line is not supported for multiline CCD Operators.

* Enquiry to Pilot or RSI is not possible.
* ACD End call services is not proposed for the new CCD Master in transfer case. But for the Master who
is initiating the enquiry call it is proposed.
* This feature is not applicable for DECT and REX Pro-ACD sets
3.1.7 Creation of Serbian country variant

The objective of this feature is to create SERBIA as a new country in the OXE database. It is delivered in
OXE Release R12.4 (M5) with marketing id RQOXE-472 for Creation of SERBIA as a new country in OXE
Database and also enable the possibility to translate Yugoslavia databases into the new country variant
"Serbia".
3.1.8 Desk sharing: avoid reboot when log on – log off

Desk Sharing set will not go for reboot after DSU Logon or Logoff Operation.
Feature is controlled by a Boolean:
Path: “System/ Other System Param./ Local Features Parameters Avoid reboot for DS logon/logoff”
That management is dynamic
Important restrictions for the feature avoid reboot when desk sharing log on – log off
• Avoid reboot when desk sharing logon – log off feature is applicable only
o for NOE3GEEsets (8018,8008,8028s,8058s,8068s,8078s).
o when AOM is not configured in DSU/DSS
o when both DSS and DSU are in same node
o when both DSS and DSU belong to same NOE family
• When DSU is logged on
o Deleting or Modifying the DSS in mgr/8770/wbm is restricted
o Changing the set type of DSU in mgr/8770/wbm is restricted
o Configuring AOM in DSU is not recommended
• It is not recommended to configure DSS/DSU as Boss/Secretary
• The configurations of DSS and DSU like user encryption capability, set type, Language, AOM
should be homogenous on both Local and Network cases.
As reminder: no license will be consumed for DSUs. Only license for DSS is required.
3.1.9 Display information on Tandem Set

A new system option 'Displayed Info On Secondary Sets' is used to control the displayed directory
number in secondary tandem sets. If the system option is set to display the main information, then the
secondary tandem set displays the name and number of the Main user. If the option is set to display the
secondary information, then the secondary tandem set displays the name of the main user and the
number of the secondary tandem.
Detailed explanation:
Name and directory number displayed on “info home page”.

- On one set connected to OXE, we can consult its directory number and the name of its user.
- The Name and directory number information are displayed
· On info home page for NOE sets
· On “who am I” screen (on long press of left menu button / under services menu on 82x2 DECT sets) for
DECT sets,
· On idle home page screen for MIPT sets
- When a set becomes a secondary: (here is the original way of working of the Tandem)
The displayed name is the name of the main set,
The displayed directory number is still the number of the set. (Not the main’s one) until OXE(R12.3) M4
release. From OXE(R12.4) M5 release, this display is controlled by a new system option “Displayed
Number On Secondary Sets”.
System Option – Displayed Number On Secondary Sets
A new system option “Displayed Number On Secondary Sets” has been introduced under:
mgr->System->Descend Hierarchy->Other System Parameters->Descend Hierarchy->Local Features.
This option allows the user to choose the directory number displayed on the secondary tandem set as
the “Main Directory Number” or “Secondary Directory Number”. The behavior is also applicable for
multi-device configuration.
When the user is newly configured as tandem, then the displayed directory number is updated as
described above. For the existing secondary tandem user, it is required either a reboot of the set or
tandem reconfiguration to change the display as described. The default value of this option is Secondary
Directory Number.
System Option ‘Displayed Number On Secondary Sets’ set as Main Directory Number
If the “Displayed Number On Secondary Sets” option is set as Main Directory Number, the secondary
tandem set displays directory number of the main set in the directory number field on the info page.

System Option ‘Displayed Number On Secondary Sets’ set as Secondary Directory Number
If the “Displayed Number On Secondary Sets” option is set as Secondary Directory Number, the
secondary tandem set displays directory number of the secondary set (own directory number) in the
directory number field on the info page.
3.1.10 Emergency notification

In this feature, a new menu, “Emergency Group” is introduced under mgr->Applications. Emergency Group menu
can be used to configure Emergency Call Alert Stations.
These Emergency Call Alert Stations will be notified (audible tone and visual notification) as soon as an emergency
call is detected.
The Emergency calls will be logged in a dedicated call log and the list of Emergency calls can be viewed by accessing
the Emergency Call Log.
3.1.11 Take "IP Softphone Emulation”

Feature “Take "IP Softphone Emulation" parameter into account for OXE profiles” : the objective of this
feature is to provide ability to configure IPSoftphone Emulation through User Profile
Existing Behaviour
Creation of User Profile

Create a user with the characteristics of another user (which acts as a template) and it is called User
Profile. User profile is created by setting the Set Function attribute as “Profile” and providing a profile
name and directory number under mgr -> Users.
Fig 1: Profile Creation
Configuring IPSoftphone Emulation

IPSoftphone Emulation can be configured via mgr-> users-> DH-> TSC IP User by setting IPSoftphone
Emulation to yes for the current profile.
Fig 2: IPSoftphone Emulation
Limitation in existing behavior
A new user created through “User by profile” is updated depending on the user profile. But, the value
configured in the IPSoftphone Emulation of the profile is not copied to the value of IPSoftphone
Emulation of the User.
Enhancement
Configuring IPSoftphone Emulation through “Users by Profile” Menu:
A new user created through “User by profile”, is updated depending on the user profile. The value
configured in the IPSoftphone Emulation of the profile is copied to the value of IPSoftphone Emulation of
the User.
3.1.12 MLPP: call to tandem group (deskphone + DECT) with MLPP rights MUST take
priority on Sets Status
The objective of this feature is to preempt the busy secondary tandem with low priority call for the
priority call received in main tandem, when main tandem is free.
Explanation of the enhancement:

When a priority incoming call comes to free main tandem, it will start ringing and send the incoming call
information to busy secondary tandem for ringing. In this feature call server will check the possibility of
preempting the current conversation in secondary tandem for the received priority incoming call. This
will be performed based on the below conditions.
- The incoming priority call activation mode is equal to 3.
- Priority of current conversation should be lesser than the priority of incoming call to main tandem.
- Main tandem is free and it is ringing for priority call.

If the above conditions are satisfied then main tandem stops the ringing of the priority incoming call and
preemption process initiated by starting the temporized preemption timer, once the timer stops
secondary tandem will display the screen warning to intimate the user about the preemption of current
conversation and disconnect the current low priority call then it will display the priority incoming call to
the user.
When secondary tandem is busy with low priority call, the priority incoming call to tandem main will be
presented to tandem sets (main & secondary) for the below configuration in main tandem.
mgr->Users->Review/Modify-> Partial busy = True
mgr-> Users-> Descend Hierarchy -> Dynamic state User-> Busy camp on = False
The concepts of MLPP feature like preemption beep, temporized preemption timer will be considered in
the preemption of secondary tandem also. The secondary tandem will be preempted by both implicit
and explicit priority incoming call.
The current conversation with direct call in secondary tandem is preempted by priority incoming call to
tandem main.
The limitations and restrictions of MLPP feature is applicable to this feature also.
This feature is applicable for set type:
40x8, 40x9, 80x8, 80x8s, 80x9s, 80x9, 8088, IPDSP, AGAP 82x2, AGAP 82x4, WLAN 81x8 and 81x8s.
3.2 SIP TRUNKING

3.2.1 DTLS Server server identity (IP) should be checked against the identity certified within the
EGW/CS TLS certificate, in either DN or SAN fields
DTLS Server server identity (IP) should be checked against the identity certified within the EGW/CS TLS
certificate, in either DN or SAN fields
3.2.2 SIP Trunking: Cost free call waiting time

The Chatel law imposes on French ISP, in their Call Centers in charge of after-sales services, technical
assistance and claims services, that the waiting time of a call before the answer of the first physical user,
be cost free for callers.
the requirement is that OTCC-SE sends a specific SIP INFO message, respecting RFC 2976 when the first
physical user answers a SIP call received on a Routing Pilot or a RSI of this OTCC-SE from the network.
The specific SIP INFO message, on answer of the first physical user, is sent for a call to a Routing Pilot or a
RSI only if this new management parameter is set to Orange value for Routing Pilot or RSI:
• mgr->Applications->CCD->Pilot->Cost Free Waiting Time
English help message:

When the first physical user answers SIP call routed to this Routing Pilot:
None: (Default value) No emission of SIP message.
Network: Emission of specific carrier SIP INFO message.

3.2.3 Session Timer per SIP gateway
This feature provides the enhancement of session timer, minimum Session timer and session timer
method to the entire sip external gateway
3.3 CLOUD CONNECT/RAINBOW

3.3.1 Cloud Connect refactoring tool “CCTool”
To organize all the CCO services with a one simple centralized tool “CCTool” to avoid the complexity
implementation of the feature.
By the implementation of new menu in MAO to enable and disable for all new CC services
CCTool:
Operations
The CCTool will provide the following capabilities:
- Launch the FTR will (and no longer from netadmin tool)
- Launch a FTR with input of the PIN code
- Display the FTR status
- Display parameters (keepalive and features )
- Force a RTR request (without waiting the planned slot)
- Display the RTR data (-> the CCTool has access to the remanents)
- Modify the log level for each feature: FRT/RTR/DC/Console/…:
4 log levels will be available: ERROR/INFO/DEBUG(default)/TRACE
Note:
Netadmin tool: “Cloud Connect” menu (19) is removed
“ftrtool” tool does not exist anymore.
The new menu takes into account both FTR and RTR operations.

3.3.2 Cloud Connect features
Possibility to enable/disable "Remote Management”
Possibility to enable/disable "Inventory"
Possibility to enable/disable "Get Offer File"
Possibility to configure the Keep alive frequency
Management:
Go to: “mgr-> ─Cloud Connect -> Review/Modify: Cloud Connect”
3.3.3 Command for testing web sockets connections for XMPP and SOCKS5 towards Cloud
Connect & Rainbow
In order to help the administrator to configure and enable the Cloud Connect function, a new tool script
“checkCloudConnect.sh” is provided as a help to check or detect bad configuration in OXE or in the
network environment (http proxy, dns).
The script must be manually launched by the administrator.

To OXE connectivity to the Cloud Connect infrastructure consists in verifying:
The capability of the OXE to resolve an Internet domain address through its managed DNS (the DNS
which is declared through netadmin): this test is done only if no http proxy is managed in netadmin (in
case of proxy, the resolution is done at proxy level and the local OXE dns is not used).
The capability of the OXE to setup the secured Websocket connection which will support the XMPP link
with the server through the managed HTTPS proxy (the proxy which is declared through netadmin, if
there is one): for this purpose, the check consists in establishing an https connection through the proxy.
The capability to setup a SOCKS5 link: There are 2 cases:

in case there is no proxy declared in OXE, the check will only consist in verifying that a TCP socket could
be established to the CCI proxy (ie XMMP infra server on port 80)
in case there is a proxy declared in OXE, the check will consist in verifying that a TCP socket could be
established to the CCI proxy (ie XMPP infra server on port 80) via a TCP tunnel through the proxy

(the SOCKS5 setup procedure is not executed but just the port connectivity is checked)
To make these tests in a Rainbow context, the script may be executed with a specific -rainbow option.
These tests will be executed by the CCAgent process which already has access to the netadmin data (OXE
DNS configuration and http proxy configuration) and provides the means to execute these tests.
The script checkCloudConfig.sh is executed on line and accepts zero or several arguments:
Usage
checkCloudConfig.sh can accept optional arguments:
checkCloudConfig.sh [-d=domain] [-p=port] [-x=proxy_address:proxy_port] [-rainbow]
ex:checkCloudConfig.sh
=> test on default cci (connect2.opentouch.com:80) server through proxy (from oxe config)
or checkCloudConfig.sh -rainbow
=> test on default rainbow domain (openrainbow.com:443) through proxy (from oxe config)
ex:checkCloudConfig.sh -d=qa.connect2.opentouch.com -p=1080 -x=172.25.6.149:3128
=> test on specified domain and port through specified http proxy
checkCloudConfig.sh -h: to display the optional parameters.
3.3.4 Remote OXE console on Fleetdashboard

A Business Partner admin (Not for user with privileged “basic” or “advanced”) can start a
remote maintenance operation from Fleet Dashboard on any of its systems that are connected to ALE
Cloud infrastructure, and owning a valid Support Contract (this service is only enabled for those owning a
valid SPS).
Savings: no needs to go onsite nor to install a dedicated VPN per customer, quicker reaction time to
customer request …etc

3.3.5 Serviceability Cloud Connect - Monitoring incidents of the Cloud Connect XMPP link
In the OXE, the administrator consults more naturally the incidents than the logs.
To improve the maintenance level, the CC-Agent will also have to produce incidents.
The incidents to be generated concern both operation and errors.
For error incident, an error description must be added.
For trace incident, not need to add additional details.
Involved Alarm/incident Context

License CLOUDCONNECT_SUITE_ID_ERROR No suiteId, or suiteId modified
CCagent CLOUDCONNECT_CCAGENT_START Start of CCagent
CLOUDCONNECT_CCAGENT_STOP Stop of CCagent
CLOUDCONNECT_WEBSOCKET_ON Permanent link connected
Web socket CLOUDCONNECT_WEBSOCKET_OFF Permanent link disconnected

CLOUDCONNECT_WEBSOCKET_ERROR Connection can’t be established
CLOUDCONNECT_XMPP_ERROR Login failure
XMPP link CLOUDCONNECT_CCAGENT_CONNECTED Permanent XMPP link logged-in
CLOUDCONNECT_CCAGENT_DISCONNECTED Permanent XMPP link logged-out
SOCKS5 CLOUDCONNECT_SOCKS5_ERROR Socks5 can’t be established
CLOUDCONNECT_CONSOLE_REQUEST Incoming console request
Remote Console CLOUDCONNECT_CONSOLE_OPENED Console session established
CLOUDCONNECT_CONSOLE_CLOSED Console session closed
CLOUDCONNECT_CONSOLE_ERROR Incoming console request can’t be
performed
3.4 SECURITY
3.4.1 Connect OXE to a domain (especially Rainbow) while being in "trusted hosts mode
This feature allows the user to connect OXE to Rainbow when OXE is configured in "trusted hosts
mode"(OXE is isolated). This enables the user to connect OXE to Rainbow without having to know and
manage explicitly the IP address of “agent.openrainbow.com”.
Currently if isolation is enabled in OXE for security reasons, OXE cannot establish connection with
rainbow agent. To connect to Rainbow the domain IP address of 'agent.openrainbow.com' and proxy
server address (if configured) must be added in trusted host list. Connection to Rainbow fails, if there is a
change in IP address of the cloud server ‘agent.openrainbow.com’.
In order to prevent such cases, the IP address of ‘agent.openrainbow.com’ is periodically checked and
updated in OXE’s trust host file. By implementing this feature rainbow connection is established even
after isolation of Ethernet interface and TCP accesses. This relieves the administrator from manually
updating the IP address of ‘agent.openrainbow.com’ as and when it is changed.
Connection of OXE with Rainbow after isolation:

OXE can be connected to Rainbow with or without proxy setup.
With proxy:
In this case, OXE connects to rainbow server via a proxy and the DNS resolution of
agent.openrainbow.com is managed by proxy itself through DNS server.
If proxy is configured then the following steps are to be done to connect OXE to rainbow in trusted host
mode.
- Isolate the OXE
- Add the proxy address to the trusted host.
At present, if OXE is isolated after configuring the proxy, then the existing proxy address is not getting
added in the trusted host list. This issue is resolved as part of this feature implementation.
However, this problem does not occur, if proxy is configured after Ethernet Isolation.

This feature is extended to add the existing proxy address in the trusted host list when OXE is isolated.
Once proxy is added, the DNS resolution is handled by the proxy and connection with Rainbow is
established.
Without Proxy:
In this case, OXE is directly connected to the internet and DNS server is configured to resolve the domain
agent.openrainbow.com.
Procedure to connect OXE to Rainbow when DNS is configured without proxy:

- Isolate the OXE.
- Add the IP address of DNS in the trusted host.
At present, if OXE is isolated after configuring the DNS, then the existing DNS address is not getting
added in the trusted host list. This issue is resolved as part of this feature implementation. However, this
problem does not occur, if DNS is configured after Ethernet Isolation
When OXE’s Ethernet interface is isolated, its routing tables are modified and there is no connectivity to
reach external servers. In order to connect OXE to “openrainbow” server in cloud, a static route is
created with the corresponding gateway that provides the internet connectivity is added to OXE’s
routing table.
In order to add a static route to agent.openrainbow.com, the IP address of agent.openrainbow.com must
be resolved first.
To resolve the IP address of agent.openrainbow.com, a new option is added in:
netadmin -->>11. Security -->>2. Restricted access 7.’Add/Update a domain name’. Once the domain
name is given, the IP address of the domain name is resolved using the tool “dig”.
After resolving IP address of “agent.openrainbow.com” it is added in the “/etc/hosts” file which allows
“agent.openrainbow.com” to be added as static route in routing table and DNS address is added in the
trusted host, this allows the connectivity of OXE with Rainbow without explicitly managing the address of
“agent.openrainbow.com”.

To remove a domain name, a new option is added in netadmin -->>11. Security -->>2. Restricted access
7.’Remove domain name’.
Managing change of domain IP:

Connection to Rainbow fails, if there is a change in IP address of the cloud server
“agent.openrainbow.com”. In order to prevent such cases, the IP address of “agent.openrainbow.com” is
periodically checked for every 5 minutes and is updated in /etc/hosts if it is changed. To find current IP
address of Rainbow cloud, dig tool is used and executed as cron job.
Testability
A cron job is configured to check for an update in the IP address of “agent.openrainbow.com”. In case,
there is a change, the changed IP address information is logged in “/var/log/syslog”.
3.4.2 Migration Thales encryption to Native encryption (automatic procedure – MD2)

This feature follows the document TC2664 (Migration from encryption security modules to native
encryption - Guidelines) uploaded in the Business Portal which is describing the manual remove of
encryption boxes. This feature brings modifications in term of automation in some steps.
High Level Steps

1. Disabling of Thales Encryption in OXE.
a. Disabling of encryption for links.
b. Disabling of encryption in associated couplers.
c. Disassociation of Thales Security Modules from the node.
2. Installation of new delivery.
3. Restoration of database (Backed up after disabling Thales configurations).
4. Configure Native Encryption.
Note:
The new tool “iptsecmigration” only automates step 1. Steps 2, 3 and 4 have to be performed manually
by the system administrator.
Consider the node N1 needs to be migrated from Thales based encryption to Native encryption. This can
be achieved by:
1. Login to OXE (node N1).
2. Run the tool “iptsecmigration” as mtcl user.
3. Backup the database after running the tool successfully.
4. Install the new delivery.
5. Restore the database.
6. Configure the Native encryption.
Enhancement
This feature allows the customer to migrate from Thales modules based encryption to Native encryption
automatically (not completely) and smoothly with minimal downtime.
Description

Warning: it is important to make sure that any ip equipment that is temporally unavailable goes back to
its connected & encrypted state before using the following tool. Otherwise manual maintenance on this
equipment will have to be done (like factory reset or firmware reload … some ip sets depending on the
type or version may never go back in service)
The tool “iptsecmigration” removes Thales configurations from OXE in a single shot. The tool checks for
the security mode and if the node is secured with IP Touch Security Modules, the tool continues with the
prompt “Are you sure you want to remove IP Touch Security?” and proceed with user confirmation. In
case of the node secured with DTLS mode or not secured, the tool exits at the beginning. The tool backs
up the database before starting to disable the Thales configurations. It is not recommended to interrupt
the tool while it is running until it completes the operation. However, in case of manual interruption or
the tool fails in between, the tool stops the operation and prompt for restoration of database with user
confirmation. If user confirms the restoration, the tool enables the encryption parameter for all the
encrypted links on the link nodes which was disabled by the tool earlier (only if the connectivity is
provided between the link nodes) and the MAO database is restored automatically on next reboot. If the
node is rebooted while running the tool, the user must restore the backed-up MAO database manually
after the reboot to retain the proper Thales configurations. The node which is being separated from
Thales setup is completely delinked from the Thales environment during the entire process. Once the
tool ran successfully, the physical association of Thales boxes (SSM and MSM) must be removed from the
node manually and must be re-connected directly to the switch (for communicating over the network
again).
Consider the following topology, an expanded diagram of architecture (Fig 1).

Figure 4: High level architecture - Thales setup
Figure 5: Detailed setup diagram – Before executing iptsecmigration
All the four nodes (N1, N2, N3 and N4) in the network are linked and encrypted with Thales Security
Modules (SM). For migration to Native encryption, each node must be isolated from the network. The
tool “iptsecmigration” disable the Thales encryption in OXE and associated couplers. Once the tool
“iptsecmigration” ran successfully on all nodes in network, clear communication is established over the
network (Figure 6). The association of Thales boxes (SSM and MSM) must be removed from the nodes
manually and must be re-connected directly to the switch (Figure 7).
Note:
Internode calls is not possible until the tool “iptsecmigration” is run on all nodes N1, N2, N3 and
N4. When the tool “iptsecmigration” is run on node N1 alone, link cannot be established
between N1 and other nodes (till the tool “iptsecmigration” is run on all nodes).
It is not recommended to change the MAO parameters while the tool is running.

Figure 6: Detailed setup diagram – After executing iptsecmigration

Figure 7: Detailed setup diagram – After executing iptsecmigration and removing boxes
Once the OXEs and associated couplers are connected directly to the switch, several steps must be
performed manually to configure Native encryption.
Automatic Operations
The tool performs the following operations automatically.
1. Disabling encryption on all encrypted links.
2. Disabling encryption for the particular link on associated link nodes.
3. Building Config_BT.cfg file.
4. Un-securing the lanpbx.cfg file.
5. Removing all the associated security modules (Thales SM) configurations.
6. Disabling encryption on all associated couplers.
Note:
Steps 1 and 2 are not considered for standalone nodes.
Details on each operation will be described in another document.
3.4.3 Native Encryption - SIP TLS: mutual TLS authentication for SIP separated
The TLS feature is embedded in the SipMotor process, SIP TLS encryption is now available without the help of SSM.
This enhancement is available on OXE under the following conditions, managed by MAO:
No SSM is configured.
TLS Signaling is enabled.
The external gateway is configured in TLS.
The need is to have a dedicated parameter to manage mutual TLS authentication for SIP trunks, independently of
mutual TLS authentication used by IP Phones and MediaGW in native encryption.
Now there is in mgr “system -> ....” Native encryption parameters: enable mutual TLS authentication.
This parameter applies both to SIP trunks and IPPhones and MGW.
The demand is to have:

- in a 1st step in support version, another system parameter: enable mutual TLS authentication for SIP
and take it into account when SIP TLS link is established.
Also update “cryptview” and “cryptcheck” tool to show the value.
- in a 2nd step, study if it could be an external GW parameter. If yes it should be implemented in replacement to
the system option.
3.4.4 Update OXE Security Check Tool

“securitystatustool” is updated based on recent evolutions in OXE.
Feature
Title Status ID Defects

001_Functional Test - Check tag and value for internal E-Gateway of CROXE-
FSNE enabled node in audit access tool Passed 13456
002_Functional Test - Check tag and value for Internal E-Gateway of CROXE-
FSNE enabled node in audit access tool after modification Passed 13456
003_Functional Test - Check tag and value for external E-Gateway of CROXE-
004_Functional Test - Check tag and value for external E-Gateway of CROXE-
FSNE enabled node in audit access tool after modification Passed 13456
005_Functioanal Test - Check keysize and value for CA, CS and Twin CROXE-
Certificates of FSNE enabled node in audit access tool Passed 13456
006_Functional Test - Change keysize for CA, CS and Twin Certificates CROXE-
of FSNE enabled node in audit access tool Passed 13456
007_Functional Test - Check SAN tag and value for CS and Twin CROXE-
certificates of FSNE enabled node in audit access tool Passed 13456
008_Functioanal Test - Check information for Network cerficate of CROXE-

009_Functional Test - Check for hashing algorithm for all User CROXE-
Accounts from new installation with default security level Passed 13456
010_Functional Test - Check for hashing algorithm for all User CROXE- CROXE-
Accounts from new installation with enabled high security level Failed 13456 15324
011_Functional test - Check for hashing algorithm for all User CROXE-
Accounts upgrade from lower release Passed 13456
012_Functional Test - Check hashing algorithm for all user accounts CROXE-
by restoration from M3 linux DB Passed 13456
013_Functional Test - Check hashing algorithm for new creation of CROXE-

client and ppp accounts from M3 linux DB Passed 13456
014_Functional Test - Check hashing algorithm for all user accounts CROXE-
by restoration from M4 linux DB Passed 13456
015_Functional Test - Check hashing algorithm for new creation of CROXE-

client and ppp accounts from M4 linux DB Passed 13456
016_Non-Functional Test - Check tool with SSH V2 enabled in the CROXE-

node Passed 13456

CROXE-
017_Non-Functional Test - Check the tool after isolating ethernet Passed 13456
018_Non-Functional Test - Check tool with primary and secondary CROXE-

radius server configured without authentication Passed 13456
019_Non-Functional Test - Check tool with primary radius server CROXE-

configured with authentication Passed 13456
020_Non-Functional Test - Check tool with many NTP servers and CROXE-
NTP started in the node Passed 13456
021_Non-Functional Test - Check tool when aging is modified for CROXE-

client user alone in the node Passed 13456
022_Non-Functional Test - Check tool with creation of multiple DISA CROXE-

and REX DISA alone in the node Passed 13456
023_Non-Functional Test - Check tool with all trunks enabled DISA in CROXE-
the node Passed 13456
024_Non-Functional Test - Check tool with number of users with CROXE-

default secret code in the node Passed 13456
025_Non-Functional Test - Check tool with number of users with CROXE-

modified secret code in the node Passed 13456
026_Non-Functional Test - Check the tool with Multi IP configuration CROXE-

enabled in the node Passed 13456
027_Non-Functional Test - Modify management plane and check the CROXE-

tool in the node Passed 13456
028_Non-Functional Test - Check the tool with IP forward enabled in CROXE-

the node Passed 13456
3.4.5 Update Linux kernel to 2.6.32-754.24.2 + new openSSH for security vulnerabilities
(MD1)
The scope of the feature is to validate the update of Linux kernel to 2.6.32-754.24.2 + new openSSH for
security vulnerabilities

3.4.6 Various security fixes
Vulnerability Packages Severity Description Resolution

number(CVE)
CVE-2013- nss Critical The ssl_Do1stHandshake function in sslsecur.c in libssl in
1740 Mozilla Network Security Services (NSS) before 3.15.4, when Upgraded packages to latest version
the TLS False Start feature is enabled, allows man-in-the- nss ( 3.44.0-7.el6_10)
middle attackers to spoof SSL servers by using an arbitrary nss-softokn ( 3.44.0-5.el6_10)
X.509 certificate during certain handshake traffic. nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2013- nss-util,nss Critical Integer overflow in Mozilla Network Security Services (NSS)
1741 3.15 before 3.15.3 allows remote attackers to cause a denial Upgraded packages to latest version
of service or possibly have unspecified other impact via a large nss ( 3.44.0-7.el6_10)
size value. nss-softokn ( 3.44.0-5.el6_10)
nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2013- nss-util,nss Critical Mozilla Network Security Services (NSS) 3.14 before 3.14.5
5605 and 3.15 before 3.15.3 allows remote attackers to cause a Upgraded packages to latest version
denial of service or possibly have unspecified other impact via nss ( 3.44.0-7.el6_10)
invalid handshake packets. nss-softokn ( 3.44.0-5.el6_10)
nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2013- nss-util,nss Critical The CERT_VerifyCert function in lib/certhigh/certvfy.c in

5606 Mozilla Network Security Services (NSS) 3.15 before 3.15.3 Upgraded packages to latest version
provides an unexpected return value for an incompatible key- nss ( 3.44.0-7.el6_10)
usage certificate when the CERTVerifyLog argument is valid, nss-softokn ( 3.44.0-5.el6_10)
which might allow remote attackers to bypass intended access nspr ( 4.21.0-1.el6_10)
restrictions via a crafted certificate. nss-util (3.44.0-1.el6_10)
CVE-2014- nss Critical Race condition in libssl in Mozilla Network Security Services
1490 (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Upgraded packages to latest version
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, nss ( 3.44.0-7.el6_10)
SeaMonkey before 2.24, and other products, allows remote nss-softokn ( 3.44.0-5.el6_10)
attackers to cause a denial of service (use-after-free) or nspr ( 4.21.0-1.el6_10)
possibly have unspecified other impact via vectors involving a nss-util (3.44.0-1.el6_10)
resumption handshake that triggers incorrect replacement of
a session ticket.
CVE-2014- nss Critical Mozilla Network Security Services (NSS) before 3.15.4, as used
1491 in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Upgraded packages to latest version
Thunderbird before 24.3, SeaMonkey before 2.24, and other nss ( 3.44.0-7.el6_10)
products, does not properly restrict public values in Diffie- nss-softokn ( 3.44.0-5.el6_10)
Hellman key exchanges, which makes it easier for remote nspr ( 4.21.0-1.el6_10)
attackers to bypass cryptographic protection mechanisms in nss-util (3.44.0-1.el6_10)
ticket handling by leveraging use of a certain value.
CVE-2014- nss Critical The cert_TestHostName function in lib/certdb/certdb.c in the
1492 certificate-checking implementation in Mozilla Network Upgraded packages to latest version
Security Services (NSS) before 3.16 accepts a wildcard nss ( 3.44.0-7.el6_10)
character that is embedded in an internationalized domain nss-softokn ( 3.44.0-5.el6_10)
name's U-label, which might allow man-in-the-middle nspr ( 4.21.0-1.el6_10)
attackers to spoof SSL servers via a crafted certificate. nss-util (3.44.0-1.el6_10)
CVE-2014- nss Critical Use-after-free vulnerability in the CERT_DestroyCertificate

1544 function in libnss3.so in Mozilla Network Security Services Upgraded packages to latest version
(NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x nss ( 3.44.0-7.el6_10)
before 24.7, and Thunderbird before 24.7, allows remote nss-softokn ( 3.44.0-5.el6_10)
attackers to execute arbitrary code via vectors that trigger nspr ( 4.21.0-1.el6_10)
certain improper removal of an NSSCertificate structure from nss-util (3.44.0-1.el6_10)
a trust domain.

CVE-2014- nss Critical Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 Upgraded packages to latest version
1545 allows remote attackers to execute arbitrary code or cause a nss ( 3.44.0-7.el6_10)
denial of service (out-of-bounds write) via vectors involving nss-softokn ( 3.44.0-5.el6_10)
the sprintf and console functions. nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
number(CVE)
CVE-2014- nss Critical Mozilla Network Security Services (NSS) before 3.16.2.1,
1568 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Upgraded packages to latest version
Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before nss ( 3.44.0-7.el6_10)
24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before nss-softokn ( 3.44.0-5.el6_10)
24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before nspr ( 4.21.0-1.el6_10)
2.29.1, Google Chrome before 37.0.2062.124 on Windows and nss-util (3.44.0-1.el6_10)
OS X, and Google Chrome OS before 37.0.2062.120, does not
properly parse ASN.1 values in X.509 certificates, which makes
it easier for remote attackers to spoof RSA signatures via a
crafted certificate, aka a "signature malleability" issue.
CVE-2014- nss Critical The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
3566 other products, uses nondeterministic CBC padding, which Upgraded packages to latest version
makes it easier for man-in-the-middle attackers to obtain nss ( 3.44.0-7.el6_10)
cleartext data via a padding-oracle attack, aka the "POODLE" nss-softokn ( 3.44.0-5.el6_10)
issue. nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2015- nss- Critical Mozilla Network Security Services (NSS) before 3.19.1, as used
2730 softokn in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and Upgraded packages to latest version
38.x before 38.1, and other products, does not properly nss ( 3.44.0-7.el6_10)
perform Elliptical Curve Cryptography (ECC) multiplications, nss-softokn ( 3.44.0-5.el6_10)
which makes it easier for remote attackers to spoof ECDSA nspr ( 4.21.0-1.el6_10)
signatures via unspecified vectors. nss-util (3.44.0-1.el6_10)
CVE-2015- nss,nss-util Critical The sec_asn1d_parse_leaf function in Mozilla Network

7181 Security Services (NSS) before 3.19.2.1 and 3.20.x before Upgraded packages to latest version
3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x nss ( 3.44.0-7.el6_10)
before 38.4 and other products, improperly restricts access to nss-softokn ( 3.44.0-5.el6_10)
an unspecified data structure, which allows remote attackers nspr ( 4.21.0-1.el6_10)
to cause a denial of service (application crash) or possibly nss-util (3.44.0-1.el6_10)
execute arbitrary code via crafted OCTET STRING data, related
to a "use-after-poison" issue.
CVE-2015- nss-util Critical Heap-based buffer overflow in the ASN.1 decoder in Mozilla
7182 Network Security Services (NSS) before 3.19.2.1 and 3.20.x Upgraded packages to latest version
before 3.20.1, as used in Firefox before 42.0 and Firefox ESR nss ( 3.44.0-7.el6_10)
38.x before 38.4 and other products, allows remote attackers nss-softokn ( 3.44.0-5.el6_10)
to cause a denial of service (application crash) or possibly nspr ( 4.21.0-1.el6_10)
execute arbitrary code via crafted OCTET STRING data. nss-util (3.44.0-1.el6_10)
CVE-2015- nss Critical Integer overflow in the PL_ARENA_ALLOCATE implementation

7183 in Netscape Portable Runtime (NSPR) in Mozilla Network Upgraded packages to latest version
Security Services (NSS) before 3.19.2.1 and 3.20.x before nss ( 3.44.0-7.el6_10)
3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x nss-softokn ( 3.44.0-5.el6_10)
before 38.4 and other products, allows remote attackers to nspr ( 4.21.0-1.el6_10)
execute arbitrary code or cause a denial of service (memory nss-util (3.44.0-1.el6_10)
corruption and application crash) via unspecified vectors.
CVE-2016- nss-util Critical Heap-based buffer overflow in Mozilla Network Security
1950 Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before Upgraded packages to latest version
3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR nss ( 3.44.0-7.el6_10)
38.x before 38.7, allows remote attackers to execute arbitrary nss-softokn ( 3.44.0-5.el6_10)
code via crafted ASN.1 data in an X.509 certificate. nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2017- nss Critical Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x
5461 through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x Upgraded packages to latest version
before 3.30.1 allows remote attackers to cause a denial of nss ( 3.44.0-7.el6_10)
service (out-of-bounds write) or possibly have unspecified nss-softokn ( 3.44.0-5.el6_10)
other impact by leveraging incorrect base64 operations. nspr ( 4.21.0-1.el6_10)

nss-util (3.44.0-1.el6_10)
CVE-2017- nss Critical Null pointer dereference vulnerability in NSS since 3.24.0 was
7502 found when server receives empty SSLv2 messages resulting Upgraded packages to latest version
into denial of service by remote attacker. nss ( 3.44.0-7.el6_10)
nss-softokn ( 3.44.0-5.el6_10)
nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)

number(CVE)
CVE-2017- nss Critical During TLS 1.2 exchanges, handshake hashes are generated
7805 which point to a message buffer. This saved data is used for
later messages but in some cases, the handshake transcript
can exceed the space available in the current buffer, causing Upgraded packages to latest version
the allocation of a new buffer. This leaves a pointer pointing nss ( 3.44.0-7.el6_10)
to the old, freed buffer, resulting in a use-after-free when nss-softokn ( 3.44.0-5.el6_10)
handshake hashes are then calculated afterwards. This can nspr ( 4.21.0-1.el6_10)
result in a potentially exploitable crash. This vulnerability nss-util (3.44.0-1.el6_10)
affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird <
52.4.
CVE-2018- nss Critical When handling a SSLv2-compatible ClientHello request, the
12384 server doesn't generate a new random value but sends an all- Upgraded packages to latest version
zero value instead. This results in full malleability of the nss ( 3.44.0-7.el6_10)
ClientHello for SSLv2 used for TLS 1.2 in all versions prior to nss-softokn ( 3.44.0-5.el6_10)
NSS 3.39. This does not impact TLS 1.3. nspr ( 4.21.0-1.el6_10)
nss-util (3.44.0-1.el6_10)
CVE-2011- libxml2 Critical Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and
1944 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows Upgraded libxml2 package to latest
context-dependent attackers to cause a denial of service version 2.7.6-21.el6_8.1
(crash) and possibly execute arbitrary code via a crafted XML
file that triggers a heap-based buffer overflow when adding a
new namespace node, related to handling of XPath
expressions.
CVE-2011- libxml2 Critical Double free vulnerability in libxml2, as used in Google Chrome
2834 before 14.0.835.163, allows remote attackers to cause a Upgraded libxml2 package to latest
denial of service or possibly have unspecified other impact via version 2.7.6-21.el6_8.1
vectors related to XPath handling.
CVE-2011- libxml2 Critical libxml2, as used in Google Chrome before 16.0.912.63, allows
3905 remote attackers to cause a denial of service (out-of-bounds Upgraded libxml2 package to latest
read) via unspecified vectors. version 2.7.6-21.el6_8.1
CVE-2011- libxml2 Critical Heap-based buffer overflow in libxml2, as used in Google

3919 Chrome before 16.0.912.75, allows remote attackers to cause Upgraded libxml2 package to latest
a denial of service or possibly have unspecified other impact version 2.7.6-21.el6_8.1
via unknown vectors.
CVE-2011- libxml2 Critical Off-by-one error in libxml2, as used in Google Chrome before
3102 19.0.1084.46 and other products, allows remote attackers to Upgraded libxml2 package to latest
cause a denial of service (out-of-bounds write) or possibly version 2.7.6-21.el6_8.1
have unspecified other impact via unknown vectors.
CVE-2012- libxml2 Critical Multiple integer overflows in libxml2, as used in Google
2807 Chrome before 20.0.1132.43 and other products, on 64-bit Upgraded libxml2 package to latest
Linux platforms allow remote attackers to cause a denial of version 2.7.6-21.el6_8.1
service or possibly have unspecified other impact via unknown
vectors.
CVE-2012- libxml2 Critical libxml2 before 2.8.0 computes hash values without restricting
0841 the ability to trigger hash collisions predictably, which allows Upgraded libxml2 package to latest
context-dependent attackers to cause a denial of service (CPU version 2.7.6-21.el6_8.1
consumption) via crafted XML data.

CVE-2012- libxml2 Critical Heap-based buffer underflow in the
5134 xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 Upgraded libxml2 package to latest
and earlier, as used in Google Chrome before 23.0.1271.91 version 2.7.6-21.el6_8.1
and other products, allows remote attackers to cause a denial
of service or possibly execute arbitrary code via crafted
entities in an XML document.
CVE-2013- libxml2 Critical parser.c in libxml2 before 2.9.0, as used in Google Chrome
2877 before 28.0.1500.71 and other products, allows remote Upgraded libxml2 package to latest
attackers to cause a denial of service (out-of-bounds read) via version 2.7.6-21.el6_8.1
a document that ends abruptly, related to the lack of certain
checks for the XML_PARSER_EOF state.
CVE-2014- libxml2 Critical The xmlParserHandlePEReference function in parser.c in
0191 libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Upgraded libxml2 package to latest
Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and version 2.7.6-21.el6_8.1
12.1.3.0 and other products, loads external parameter entities
regardless of whether entity substitution or validation is
enabled, which allows remote attackers to cause a denial of
service (resource consumption) via a crafted XML document.

number(CVE)
CVE-2014- libxml2 Critical parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when Upgraded
3660 entity substitution has been disabled, which allows context-dependent attackers to libxml2 package
cause a denial of service (CPU consumption) via a crafted XML document containing a to latest version
large number of nested entity references, a variant of the "billion laughs" attack. 2.7.6-21.el6_8.1
CVE-2018- kernel Medium Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some
12127 microprocessors utilizing speculative execution may allow an authenticated user to Upgraded kernel
potentially enable information disclosure via a side channel with local access. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2018- kernel Medium Improper invalidation for page table updates by a virtual guest operating system for
12207 multiple Intel(R) Processors may allow an authenticated user to potentially enable Upgraded kernel
denial of service of the host system via local access package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2018- kernel Medium The inode_init_owner function in fs/inode.c in the Linux kernel through 4.17.4 allows
13405 local users to create files with an unintended group ownership, in a scenario where a Upgraded kernel
directory is SGID to a certain group and is writable by a user who is not a member of package to latest
that group. Here, the non-member can trigger creation of a plain file whose group version kernel-
ownership is that group. The intended behavior was that the non-member can trigger 2.6.32-ll-dhs3-
creation of a directory (but not a plain file) whose group ownership is that group. The 090.000
non-member can escalate privileges by making the plain file executable and SGID.
An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux Upgraded kernel
kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack package to latest
of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak version kernel-
CVE-2018- kernel Medium kernel task stack contents. 2.6.32-ll-dhs3-
17972 090.000
CVE-2019- kernel Medium Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th
0154 and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor
J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series;

Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5
and v6 and E-2100 Processor Families may allow an authenticated user to potentially
enable denial of service via local access.
Upgraded kernel
package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th
0155 and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor Upgraded kernel
J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; package to latest
Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 version kernel-
and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows 2.6.32-ll-dhs3-
before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 090.000
(aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-
rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to
potentially enable escalation of privilege via local access.
CVE-2019- kernel Medium A Spectre gadget was found in the Linux kernel's implementation of system interrupts.
1125 An attacker with local access could use this information to reveal private data through a Upgraded kernel
Spectre like side channel. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch.
3896 An unprivileged local attacker can use this flaw for a privilege escalation or for a system Upgraded kernel
crash and a denial of service (DoS). package to latest
version kernel-
2.6.32-ll-dhs3-
090.000

number(CVE)
CVE-2019- kernel Medium The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13
5489 allowed local attackers to observe page cache access patterns of other processes on the Upgraded kernel
same system, potentially allowing sniffing of secret information. (Fixing this affects the package to latest
output of the fincore program.) Limited remote exploitation may be possible, as version kernel-
demonstrated by latency differences in accessing public files from an Apache HTTP 2.6.32-ll-dhs3-
Server. 090.000
CVE-2019- kernel Medium TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may
11135 allow an authenticated user to potentially enable information disclosure via a side Upgraded kernel
channel with local access. package to latest
version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was
11477 subject to an integer overflow in the Linux kernel when handling TCP Selective Upgraded kernel
Acknowledgments (SACKs). A remote attacker could use this to cause a denial of package to latest
service. version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the TCP retransmission queue implementation in Upgraded kernel
11478 tcp_fragment in the Linux kernel could be fragmented when handling certain TCP package to latest
Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause version kernel-
a denial of service. 2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48
11479 bytes. This allows a remote peer to fragment TCP resend queues significantly more than Upgraded kernel
if a larger MSS were enforced. A remote attacker could use this to cause a denial of package to latest
service. version kernel-

2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference
11810 can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in Upgraded kernel
drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to package to latest
a use-after-free. version kernel-
2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux
14835 kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer Upgraded kernel
descriptors during migration. A privileged guest user able to pass descriptors with package to latest
invalid length to the host when migration is underway, could use this flaw to increase version kernel-
their privileges on the host. 2.6.32-ll-dhs3-
090.000
CVE-2019- kernel Medium An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in
14821 the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write Upgraded kernel
operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, package to latest
wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user- version kernel-
space process. An unprivileged host user or process with access to '/dev/kvm' device 2.6.32-ll-dhs3-
could use this flaw to crash the host kernel, resulting in a denial of service or potentially 090.000
escalating privileges on the system.
CVE-2013- libtiff Critical Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff
1960 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and Upgraded Libtiff
possibly execute arbitrary code via a crafted TIFF image file. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff
1961 before 4.0.3 allows remote attackers to cause a denial of service (application crash) via Upgraded Libtiff
a crafted image length and resolution in a TIFF image file. package to latest
version 3.9.4-
21.el6_8

number(CVE)
CVE-2013- libtiff Critical Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial
4231 of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) Upgraded Libtiff
GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to package to latest
tools/rgb2ycbcr. version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c

4232 in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly Upgraded Libtiff
execute arbitrary code via a crafted TIFF image. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff
4243 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and Upgraded Libtiff
possibly execute arbitrary code via a crafted height and width values in a GIF image. package to latest
version 3.9.4-
21.el6_8
CVE-2013- libtiff Critical The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-
4244 dependent attackers to cause a denial of service (out-of-bounds write and crash) or Upgraded Libtiff
possibly execute arbitrary code via a crafted GIF image. package to latest
version 3.9.4-
21.el6_8

CVE-2014- libtiff Critical LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read Upgraded Libtiff
8127 and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c package to latest
in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) version 3.9.4-
putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode 21.el6_8
function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in
tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function
in tif_dirwrite.c in the tiffset tool.
CVE-2014- libtiff Critical LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write)
8129 or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by Upgraded Libtiff
failure of tif_next.c to verify that the BitsPerSample value is 2, and the package to latest
t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c. version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which
8130 allows remote attackers to cause a denial of service (divide-by-zero error and Upgraded Libtiff
application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline package to latest
function in tif_write.c, as demonstrated by tiffdither. version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to
9330 cause a denial of service (crash) via crafted BMP image, related to dimensions, which Upgraded Libtiff
triggers an out-of-bounds read. package to latest
version 3.9.4-
21.el6_8
CVE-2014- libtiff Critical The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function
9655 in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized Upgraded Libtiff
memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff- package to latest
cvs-2.tif. version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a
1547 denial of service (uninitialized memory access) via a crafted TIFF image, as Upgraded Libtiff
demonstrated by libtiff5.tif. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial
7554 of service (invalid memory write and crash) or possibly have unspecified other impact Upgraded Libtiff
via crafted field data in an extension tag in a TIFF image. package to latest
version 3.9.4-
21.el6_8

number(CVE)
CVE-2015- libtiff Critical tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-
8665 of-bounds read) via the SamplesPerPixel tag in a TIFF image. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in
8668 bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or Upgraded Libtiff
cause a denial of service via a large width field in a BMP image. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote
8683 attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8

CVE-2015- libtiff Critical tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via
8781 an invalid number of samples per pixel in a LogL compressed TIFF image, a different Upgraded Libtiff
vulnerability than CVE-2015-8782. package to latest
version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via
8782 a crafted TIFF image, a different vulnerability than CVE-2015-8781. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2015- Upgraded Libtiff

8783 Libtiff Critical tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via package to latest
a crafted TIFF image. version 3.9.4-
21.el6_8
CVE-2015- libtiff Critical The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a
8784 denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by Upgraded Libtiff
libtiff5.tif. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote
3632 attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code Upgraded Libtiff
via a crafted TIFF image. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the
3945 tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote Upgraded Libtiff
attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF package to latest
image, which triggers an out-of-bounds write. version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in
3990 LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or Upgraded Libtiff
execute arbitrary code via a crafted TIFF image to tiffcp. package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF
3991 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds Upgraded Libtiff
write) or execute arbitrary code via a crafted TIFF image with zero tiles. package to latest
version 3.9.4-
21.el6_8

number(CVE)
CVE-2016- libtiff Critical This vulnerability has been rejected by the source.
5320 Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical An exploitable heap-based buffer overflow exists in the handling of TIFF images in
5652 LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer Upgraded Libtiff
overflow resulting in remote code execution. Vulnerability can be triggered via a saved package to latest
TIFF file delivered by other means. version 3.9.4-
21.el6_8

CVE-2016- libtiff Critical tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated
9533 buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer- Upgraded Libtiff
overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that
9534 didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka Upgraded Libtiff
"TIFFFlushData1 heap-buffer-overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2016- tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion
9535 libtiff Critical failures in debug mode, or buffer overflows in release mode, when dealing with unusual Upgraded Libtiff
tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap- package to latest
buffer-overflow." version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated
9536 buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka Upgraded Libtiff
"t2p_process_jpeg_strip heap-buffer-overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers.
9537 Reported as MSVR 35093, MSVR 35096, and MSVR 35097. Upgraded Libtiff
package to latest
version 3.9.4-
21.el6_8
CVE-2016- libtiff Critical tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile
9540 width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer- Upgraded Libtiff
overflow." package to latest
version 3.9.4-
21.el6_8
CVE-2014- php Critical Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation Removed php
3668 in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before package
5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service
(application crash) via (1) a crafted first argument to the xmlrpc_set_type function or
(2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds
read operation.
CVE-2014- php Critical Integer overflow in the object_custom function in ext/standard/var_unserializer.c in Removed php
3669 PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers package
to cause a denial of service (application crash) or possibly execute arbitrary code via an
argument to the unserialize function that triggers calculation of a large length value.
CVE-2014- php Critical The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, Removed php
3670 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, package
which allows remote attackers to cause a denial of service (heap memory corruption
and application crash) or possibly execute arbitrary code via a crafted JPEG image with
TIFF thumbnail data that is improperly handled by the exif_thumbnail function.
CVE-2014- php Critical The donote function in readelf.c in file through 5.20, as used in the Fileinfo component Removed php
3710 in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows package
remote attackers to cause a denial of service (out-of-bounds read and application
crash) via a crafted ELF file.

3.5 SYSTEM/INFRA
3.5.1 Native compatibility of Lenovo x3250-M6 & HP DL20 G9 & HP DL320e G8v2 for OXE R12.4
• R12.4 shall run natively, that means without any virtualization layer and thus without requiring
GAS mode on a Lenovo x3250-M6
• R12.4 shall run natively, that means without any virtualization layer and thus without requiring
GAS mode on a HP DL20 G9
3.5.2 New dongle: take into account new Flex Version

Existing dongles (3BA27768AA) will not be provided anymore.
A new flex version (virtual machine) will take into account that new hardware: minimal version of that
flexvm : “-2.5.000.001” (CentOS 7.7 64 bits).
With lower Flex versions (2.1.xxx.yyy) the new dongle will NOT work: Panic Flex will occur.
New dongle: 3BA27768AB
Old dongle + flexVM 2.1: OK (actual situation)

Old dongle + new flexVM 2.5: OK
New dongle + flexVM 2.1: NOK
New dongle + new flexVM 2.5: ok

3.5.3 Support of new Hyper-V release Server 2019 (MD1)
Tests done with OST/EEGW on Microsoft virtualization platform Hyper-V Windows 2019
3.5.4 SUSE Patch upgrade support for GAS (concerns the HOST)
GOAL:
Give a procedure to upgrade to the latest security fixes that are brought along the different versions of
bootDVD that are delivered in the Business Portal.
Compatibility: Suse 12.3 Updates are named at the right of those digit. Eg.: 12.3.016.000
This feature is available from GAS version 8.03. Following steps to update Host OS using gas-suse-
update.sh script provided in “OXE SW Server Installer” Package.
1. Mount the SUSE boot ISO available in DVD/Flash Drive or locally transferred to the host
machine:
mount <source_directory> <target_directory>
For example, if the ISO file is available in a DVD and is to be mounted then the following
command should be executed.
mount /dev/cdrom /media/cdrom
2. Run the script gas-suse-update.sh

(/home/OmniPCXEnterpriseSoftwareServer/Installation_Folders/Tools) on the terminal with
argument as the mounted directory as given below:
gas-suse-update.sh /media/<target_directory>
3. The status of the patch update will be displayed on the terminal. Detail logs will be available
in /var/log/suse-update.log and /var/log/gas-suse-update.log
The virtual machines (OXE, OMS and WebRTCGW) will be gracefully shut down before the patch
update and the SUSE Host will REBOOT after the successful patch update.
3.5.5 UPS on GAS (minimum version 8.04)

A GAS server will handle a USB connection to an Eaton UPS.
From version r_oxesws_8.04, GAS supports monitoring UPS through USB. While AS is operated through
UPS during main failure, GAS ensures automatic safe shutdown of AS and its VM if the UPS battery
power percentage reduces to configured value (Default: 30%).
Minimum requirement:
- GAS 8.04
- bootDVD 12.3.020.001
This feature was tested on UPS MGE Ellipse 1200
Services provided:

▪ Ensuring graceful shutdown of VMs and host if UPS battery percentage reduced to configured value.
▪ Logging the state of UPS events and errors.
UPS connectivity with AS

In this setup, an AS where GAS is deployed is connected to an UPS with AC Power cable and USB signal
cable.
Figure 1. UPS architecture
Power cable draws power to AS from UPS and a USB signal cable is used to monitor the status of UPS.
UPS Management
UPS management in GAS Package is performed with the help of NUT Package present in the SUSE Host
OS.
GAS Package GAS Package provides a script (gasups) which runs on host OS. It acts as a scheduler which
receives status of UPS as events from Monitor (upsmon) and respective actions will be triggered.
Following 3 types of events are thrown by Monitor to the Scheduler (gasups).
ONLINE – Source Power supply of the system through mains.
ONBATT – Source Power supply of the system switched to battery.
LOWBAT – UPS battery charge reaches configured (Default: 30 %) Low value.

GAS UPS Operations:
Below diagram represents handling of events ONLINE, ONBATT and LOWBATT by the Scheduler (gasups)
with their corresponding actions.
Figure 8. UPS event handling
- On reception of Events ONBATT, ONLINE and LOWBAT from UPS monitor, status is logged in to the file
/var/log/gasups.log
- On receiving LOWBAT event, the VMs (OXEVM, OMSVM (If installed) and WebRTCGW (If installed) will be
shutdown gracefully then followed by shutdown of host.
Before shutting down the host, a file /etc/killpower is created which acts as a flag to denote that the GAS
Host has shut down because of low power in UPS. This file is deleted during the start of UPS service on
the next boot.
Note: If a user wants the AS to be powered on automatically as soon as the mains are up, then the
parameter “Automatic Power Restore” (Applicable for AS supplied by IBM. Relevant option can be
enabled for other OEMs) needs to be enabled in BIOS and this feature is non-UPS dependent.
GAS UPS management
The UPS related services could be managed using the following commands.
$ gasups start
It is mandatory to execute successfully this command to configure “UPS support in GAS”.

After successful execution, this command starts UPS related services in GAS.
This command does basic configuration of NUT related modules.

It enables NUT related modules (driver, daemon and monitor) by starting the services nut-driver, nut-
server and nut-monitor. These services are started automatically from next boot.
In case of command/service start failure, it shows error on the screen and logs error in the path
“/var/log/gasups.log”.
UPS related services are not started if NUT package is not installed or UPS is not connected/detected by
NUT package.
If UPS related services are already started, this command will restart these services.
$ gasups stop
This command is used to stop the UPS related services.
$ gasups status
Provides current status of all the UPS related services (running/stopped). It also gives the current UPS
battery charge in percentage and configured UPS low battery charge value.
e.g $ gasups status
Battery Charge: battery.charge: 100
Configured Low Battery Value: battery.charge.low: 30
UPS Service Status: Running
$ gasups restart
Used to restart UPS related services.
$ gasups lowbatt [ChargeValueInPercentage]

It is used to configure UPS low battery charge value (Default: 30%)
e.g $ gasups lowbatt 35
Configured Low Battery Value: battery.charge.low: 35
3.5.6 Web RTC GW on OXE A/S Generic

This feature is available from GAS version 8.03
New GAS version includes now the possibility to install or add the Web RTC gw on a GAS server.
3.6 MAINTENANCE/TOOLS
3.6.1 Have different incidents between hard-phone and IPDSP
The objective of this feature is to have different incidents for IP Hard phone and IP Desktop Softphone
Existing Behavior
The existing behavior of IP Hard phone or IPDSP is whenever it goes to out of service or restart, the OXE
will generate an incident based on the cause of restart or out of service. The incident generated for the
IP Hard phone and IPDSP will be same.

If the LAN is removed from the IP Hard phone or from PC incidents 386, 426, 2053 are generated in OXE.
If we register the IP Hard phone or IPDSP for the first time, we will get 389, 426, 2053 incidents. If we use
“inserv” command that time we will get 389, 426, 2053.
Incident number Incident Text

0386 " Sig. on IP set: No response from de set "
0389 " Sig. on IP set: set demand a reset "
0426 " IPTOUCH terminal reset "
2053 " Terminal in service"
Enhancement
The Enhancement of this feature is to distinguish between incidents of the IP Hard phone and IPDSP. The
existing incidents such as 386, 389, 426, 2053 is applicable only for IP Hard phone and not for IPDSP. For
IPDSP, the new incidents are introduced to identify the cause of restart or OOS. Incident 6051 is used
when IPDSP goes out of service irrespective of any reason for OOS. Incident 6052 is used when IPDSP
comes into service.
The difference in the incidents generated for IPDSP due to the enhancement is described in the table
below.
Scenario Old behavior of IPDSP New behavior of IPDSP

Closing the IP softphone application 0389 6051
Opening the IP softphone application 0426 6052
2053
When IP Hard phone or IPDSP is put out of No incident No incident

service using “prefix”.
When we are making the IP Hard phone or 0386 6051
softphone as out of service by unplugging the
LAN cable from the terminal or from the PC
After unplugging the LAN when IP Hard phone or 0426 6052
soft phone comes into service 2053
When we are making the IP Hard phone or soft No incident No incident
phone as out of service using the
command “outserv”
When IP Hard phone or soft phone comes into 0389 6051
service after giving "inserv" command 0426 6052
2053
When IP Hard phone or soft phone comes into 0389 6051
service after registration 0426 6052
2053
New incidents:
6051: IPDSP is put out of service
6052: IPDSP is put in service

3.6.2 Easy installation of OXE
This feature allows the users/administrators to load an OXE CPU as a Distributor, with the ISO image/ZIP files
present in the /tmpd directory of the Distributor OXE CPU. This loaded ISO image/ZIP file is then used to install a
version and/or its static patches on the inactive partition of the Distributor OXE CPU. The BP must transfer through
FTP the ISO image/ZIP file to the /tmpd directory. It is also possible to install a dynamic patch on the active or
inactive partition of the client CPU.
A new menu, swinst → 2.Expert menu → 9.Remote download → 10. ‘Local load as distributor of ISO image/ZIP file
and installation’ is added in swinst tool to load an OXE CPU as Distributor with the ISO image/ZIP file. The
Distributor OXE CPU must have the version/patch files in ISO/ZIP format in the /tmpd directory. After loading the
ISO image/ZIP file, the installation of the version or patch is done in the Distributor OXE CPU.
ALCATEL-LUCENT
Remote Download menu Installation FACILITIES 3.43.0
1 Remote install of a client CPU

2 Retry the last remote install operation (if justified)
3 About last remote install (if trace exists)
4 Remote load a CPU as master or distributor

5 Retry the last remote load operation (if justified)
6 About last remote load operation (if trace exists)
7 Cleaning operation on master/distributor CPU
8 Programmed operations
9 Fast Delta programmed operations
10 Local load as distributor of ISO image/ZIP file and installation

Q Go back to previous menu
Your choice [1..9, Q]
When this submenu is selected, the name of the ISO/ZIP file in the /tmpd directory must be given as follows,
ALCATEL-LUCENT
Remote Download menu Installation FACILITIES 3.43.0
Please enter the name of the ISO/ZIP file in /tmpd directory (enter for none)
=> OXE-m430218a.iso
Confirm the local load of OXE-m430218a.iso (y/n, default y): y

******* REMOTE LOAD OPERATION *******
BEGIN REMOTE LOADING OPERATION AT

DATE : 09/27/19 TIME : 14:09:43
BEGIN LOADING installation files

*******************************
Getting file /OXE-m430218a.iso/installlinux/rload
BEGIN LOADING LINUX

*******************
Getting file /OXE-m430218a.iso/pcmao/boot_res/bootp/linux/129.000/archive.chk
BEGIN LOADING PACKAGES

**********************
No packages to download in this delivery
:
:
BEGIN LOADING export PART OF THE PHONE

**************************************
Restoring flush
OPERATION ENDED CORRECTLY AT

DATE : 09/27/19 TIME : 14:34:25
Select the partition for installation of OXE-m430218a.iso

1 for the ACTIVE version (default)
2 for the INACTIVE version
q to quit
=>2
Confirm the remote install of dyn_m5.202.4.c (y/n, default y):y
Installing client CPU ...
******* REMOTE INSTALL CLIENT v2.50 *******

Distrib CPU : kvm23
Client CPU : kvm23
Client country : fr
Retry mode : no
Checking files after installation : no

DATE : 09/20/19 TIME : 19:47:04
Install of OXE-m430218a.iso
The distrib CPU checking is correct
.
.
Common post installation
End of post installation

THE MODULE comm IS CORRECTLY INSTALLED.
Restoring flush
OPERATION ENDED CORRECTLY AT

DATE : 09/20/19 TIME : 19:58:02
Press return
With this option, the ISO/ZIP archive is loaded and installed in the Distributor CPU.
The loaded ISO files are saved under the following directories.
/usr4/ftp/ISO/version for full versions.
/usr4/ftp/ISO/patch for static patches.
/usr4/ftp/ISO/dynpatch for dynamic patches.
The loaded ZIP files are saved under the following directories.
/usr4/ftp/ZIP/version for full versions.
/usr4/ftp/ZIP/patch for static patches.
/usr4/ftp/ZIP/dynpatch for dynamic patches.
The directory structure for an ISO file contains “dhs3mgr” followed by all the different directories corresponding to
the different patches.
For a zip file there can be “dhs3mgr” or not.

3.6.3 WBM: search functionality (MD1)
The OXE WBM provides now a functionality to search for parameter name in the object model of the
database. It does NO search for a value managed. Result is given in the page itself. 3 characters
minimum, case is not sensitive neither is accentuation. Language is the one managed during WBM
connection.
Next print screen shows this kind of result for a search with keyword “encryption”.
Evolution “click and GO” will come in MD1: possibility to click in a search result & go directly to the right
object.
Feature is searching only in the object model meaning that a result can be seen even if the management
in the database has not been done.
Feature does not search in the data (eg: a search for a user name is not possible)
Added for MD1 patch the possibility to “click & GO”: after a search, the result is presented & it is possible
to click on it. The WBM will bring the user to the closest branch of the result.

Submitting a Service Request
Please connect to our eService Request application.
Before submitting a Service Request, please be sure:

− The application has been certified via the AAPP if a third party application is involved.
− You have read the release notes that list new features, system requirements, restrictions, and
more, and are available in the Technical Documentation Library.
− You have read through the related troubleshooting guides and technical bulletins available in the
Technical Documentation Library.
− You have read through the self-service information on commonly asked support questions and
known issues and workarounds available in the Technical Knowledge Center.
- END OF DOCUMENT -


New OXE Features Introduced in OXE R12.4/M5.204.2.b/M5.204.7.c

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

New OXE Features Introduced in OXE R12.4/M5.204.2.b/M5.204.7.c

Hochgeladen von

Copyright:

Verfügbare Formate

Technical Bulletin OmniPCX Enterprise

TC2717-Ed03 Release 12.4/M5.204

New OXE features introduced in OXE

2.1 Support of new DECT set 8254 (MD1) .................................................................................. 4

3 New Features in M5.204.2.B.............................................................................................................. 9

3.1 TELEPHONY ............................................................................................................................ 9

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

2.1 Support of new DECT set 8254 (MD1)

2.1.1 Interaction with older OXE releases

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Keep the default mode “8254” for oxe Release 12.4

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

2.2.2 Features provided

2.2.3 Binaries management

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

2.2.4 Firmware upgrade

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Fig 1 Existing display of NOE Conversation page

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Fig 2 Existing display of INFO page

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.1.4 Automatic agent logout when set out of service

3.1.6 Casual Conference for CCD Agents

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.1.7 Creation of Serbian country variant

3.1.8 Desk sharing: avoid reboot when log on – log off

3.1.9 Display information on Tandem Set

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.1.10 Emergency notification

3.1.11 Take "IP Softphone Emulation”

Creation of User Profile

Fig 1: Profile Creation

Configuring IPSoftphone Emulation

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Fig 2: IPSoftphone Emulation

Limitation in existing behavior

Explanation of the enhancement:

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.2 SIP TRUNKING

3.2.2 SIP Trunking: Cost free call waiting time

• mgr->Applications->CCD->Pilot->Cost Free Waiting Time

English help message:

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.3 CLOUD CONNECT/RAINBOW

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

The script must be manually launched by the administrator.

The capability to setup a SOCKS5 link: There are 2 cases:

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

3.3.4 Remote OXE console on Fleetdashboard

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Involved Alarm/incident Context

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Connection of OXE with Rainbow after isolation:

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Procedure to connect OXE to Rainbow when DNS is configured without proxy:

New OXE features introduced in OXE R12.4/M5.202.x TC2717ed03

Managing change of domain IP:

3.4.2 Migration Thales encryption to Native encryption (automatic procedure – MD2)