Readme File for Cisco Secure Access Control System (ACS) 
Release: ACS 5.6.0.22 
Patch: 5-6-0-22-3.tar.gpg
=======================================================================================

This patch fixes:

Patch 1:

* Bug Id:

- CSCur00511 ACS evaluation for CVE-2014-6271  and CVE-2014-7169

Patch 2:

* Bug Id:

- CSCur10264 Filtering and Sorting Functionality in ACS5.6 reports

- CSCuq67241 ACS 5.5 Disable Account if Date Exceeds does not work

- CSCuq13294 ACS 5.3 node registered to 5.5 Primary while migrating ACS Database.

- CSCuq35410 Not possible to search for usernames containing the ' character

- CSCuq11378 ACS 5.5 IP range/address overlapping in Network Device/AAA Client

- CSCuq06377 All the Filters are listed for Reports after added to the Saved Reports

- CSCuq21543 Day Auth info missing in SGT Assignment Report

- CSCuq21559 Timerange displaying incorrect info while crosslaunch

- CSCuq22094 Scheduled report details page displaying last viewed report

- CSCuq46862 Scheduled report not displaying custom time range

- CSCuq56757 From & To time range should be changed in Session Directory reports

- CSCur30345 ACS : Evaluation of SSLv3 POODLE vulnerability

- CSCur27402 ACS 5.6 unable to save report as scheduled report

Patch 3:

* Bug Id:

- CSCuq62466 RemoteDB export is failing to MSSQL when data having Junk characaters

- CSCur42721 Improve TACACS+ threading in ACS 5.x

- CSCur59417 ACS 5.x apostrophe,plus sign causing gui log out

- CSCur68196 ACS 5.5 Running Jobs are Stopped

- CSCur98716 ACS 5.4 GC overhead limit exceeded/Monitoring and Reports not loading

- CSCus17482 Primary sends incorrect reference to secondary after object deletion

- CSCus38676 ACS 5.6 AAA health alarm can't be edited/enabled

- CSCus42056 View Incremental backup issues

- CSCus42060 clear the collector buffer proactively when logs are not running

- CSCus55169 ACS 5.4 to 5.6 application not starting due to encryption problem

- CSCus68826 ACS 5 is vulnerable to CVE-2015-0235

- CSCut55144 Special characters issue

- CSCut05442 IP Subnets Overlap With Those Defined for device

- CSCut20508 ACS 5.6 IP subnets overlap for excluded ip ranges

- CSCut01441 Runtime crashes if received SIGPIPE (broken pipe) signal

- CSCus52928 ACS 5.6:schedule backup gets  several files on FTP at same time 

- CSCus80750 ServiceSelection rule fails  to hit if T+Ascii req doesnt have username 
 
Patch 5-6-0-22-3.tar.gpg consists of: 

* files  	

acs-distributedmanagement-5.6.0.22.B.225.jar 
acs-bl-framework-5.6.0.22.B.225.jar 
acs-bl-api-5.6.0.22.B.225.jar 
acsview.war 
User_Authentication_Summary.xml 
Endpoint_MAC_Authentication_Summary.xml 
Authentication_Failure_Code_Lookup.xml
SGT_Assignment_Summary.xml 
ACS_Instance_Authentication_Summary.xml 
acsadmin.war 
liferay.war 
Rest.war 
acs-db-5.6.0.22.B.225.jar 
libCryptoLib.so
rptframework-5.0.jar
dbms-5.0.jar
acs-replication-5.6.0.22.B.225.jar
collection-5.0.jar
remotedatabase-5.0.jar
dataupgrade-5.0.jar
incrbackup-5.0.jar
commons-lang3-3.1.jar
dbpurge-5.0.jar
logrecovery-5.0.jar
rt_daemon
libActiveDirectoryIDStore.so
libEventHandler2.so
libtacacs.so
libInternalIDStore.so
libLDAPIDStore.so
modifyUserNameDatatype.sql
change_encryption.sh
libAdminAuthenFlow.so
libRadiusRequestFlow.so
libService.so
libTacacsAuthenFlows.so
libTacacsFlow.so
acsview_restore_to_cleandb.sh
acsview_decapremove_check.sh
proactive-alerts-5.0.jar
CLI.war
acs-common-5.6.0.22.B.225.jar
tzdata2015a.tar

*adeos-patch

bash-3.2-33.el5_11.4.i386.rpm


Prerequisites
=============
This patch should be installed only on top of ACS 5.6.0.22 FCS release or ACS 5.6.0.22 with patch 1 to patch 2.

Other prerequisites are same as for ACS 5.6.0.22 (FCS Version).

If you installed FCS version of ACS 5.6.0.22 the "show version" output, would display the following for ACS Version.

Version : 5.6.0.22
Internal Build ID : B.225

What the Patch Fixes
====================

- CSCur00511 ACS evaluation for CVE-2014-6271  and CVE-2014-7169

This fix addresses the vulnerabilities identified in the bash shell by upgrading to required system libraries. As this patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot option while patch installation process prompts for it.


- CSCur10264 Filtering and Sorting Functionality in ACS5.6 reports

As part of the fix, filtering and sorting functionalities are avaialble for 5.6 reports


- CSCuq67241 ACS 5.5 Disable Account if Date Exceeds does not work

With this fix, user account should get disabled properly once the Date exceeds


- CSCuq13294 ACS 5.3 node registered to 5.5 Primary while migrating ACS Database.

With this fix, if we restore backup from one of the ACS in the deployment to the new ACS server (other version) which has connectivity to the other ACS servers in the deployment then the secondary servers in the deployment should not get registered to the new ACS server  


- CSCuq35410 Not possible to search for usernames containing the ' character

With this fix, usernames with ' character should be searchable


- CSCuq11378 ACS 5.5 IP range/address overlapping in Network Device/AAA Client

With this fix, Network Device/AAA client with different IP ranges should be allowed to add


- CSCuq06377 All the Filters are listed for Reports after added to the Saved Reports

With this fix, It should list only mandatory fields along with the user selected filter values


- CSCuq21543 Day Auth info missing in SGT Assignment Report

With this fix, Report should display with Day Authentication Summary details


- CSCuq21559 Timerange displaying incorrect info while crosslaunch

With this fix, From Radius/Tacaacs Authentication summary page, when we do cross launch for User, N/w device/AccessSummary/Failure Reason/ACS Instance Authentication summary report then the Time Range should be displayed for last 30days report


- CSCuq22094 Scheduled report details page displaying last viewed report

With this fix, newly configured report will be displayed


- CSCuq46862 Scheduled report not displaying custom time range

With this fix, custom time range should be displayed under scheduled reports page


- CSCuq56757 From & To time range should be changed in Session Directory reports

With this fix, From&to time range should be displayed with selected time range


- CSCur30345 ACS : Evaluation of SSLv3 POODLE vulnerability

As part of the fix, sslv3 has been disabled to address this vulnerability


- CSCur27402 ACS 5.6 unable to save report as scheduled report

The issue is due to the timezone having four characters in the CLI. After this fix, should be able to save the reports with timezone having four characters in CLI

Version details after installing the patch:


- CSCuq62466 RemoteDB export is failing to MSSQL when data having Junk characaters

The issue is due to the junk characters in username. With this fix remote DB export should work fine even with the junk characters in username


- CSCur42721 - Improve TACACS+ threading in ACS 5.x

With this fix Tacacs+ connection thread mechanism has been improved by having a dedicated thread pool


- CSCur59417 ACS 5.x apostrophe,plus sign causing gui log out

With this fix ACS will throw an error an error message instead of logout if any parameter contains invalid characters


- CSCur68196 ACS 5.5 Running Jobs are Stopped

With this fix remote db connections are closed properly and the jobs should run properly


- CSCur98716 ACS 5.4 GC overhead limit exceeded/Monitoring and Reports not loading

As part of the fix, "GC overhead limit exceeded" exception is fixed during disabling of log recovery feature with more number of records


- CSCus17482 Primary sends incorrect reference to secondary after object deletion

This fix addresses the replication issue due to incorrect reference been sent to secondary. With this fix there shouldn't be issue due to incorrect reference and replication should work properly


- CSCus38676 ACS 5.6 AAA health alarm can't be edited/enabled

With this fix AAA health alarm should be edited/enabled


- CSCus42056 View Incremental backup issues

This fix addresses the multiple issues reported for the incremental backup scenario


- CSCus42060 clear the collector buffer proactively when logs are not running

With this fix collector buffer is cleared proactively so that logs will be shown without issues in the view reports


- CSCus55169 ACS 5.4 to 5.6 application not starting due to encryption problem

With this fix, Encryption issue is resolved and services should come up fine


- CSCus68826 ACS 5 is vulnerable to CVE-2015-0235

This fix addresses the CVE-2015-0235 vulnerability


- CSCut55144 Special characters issue

With this fix, no internal error should be thrown and should be able to create threshold configurations


- CSCut05442 IP Subnets Overlap With Those Defined for device

The issue is that the fourth octet was missed to taken into consideration. With this fix, ACS checks for the IP subnet overlap for all the octets


- CSCut20508 ACS 5.6 IP subnets overlap for excluded ip ranges

With this fix IP subnets overlap for excluded ip ranges are properly validated


- CSCut01441 Runtime crashes if received SIGPIPE (broken pipe) signal

The issue occurred when runtime tried to write to a closed tcp socket during tacacs+ request. With this fix runtime should not crash when there is a SIGPIPE during tacacs+ request


- CSCus80750 ServiceSelection rule fails  to hit if T+Ascii req doesnt have username 

This will fix if Service selection rule will not match if the first T+Ascii request does not have the username

- CSCus52928    ACS 5.6:schedule backup gets several files on FTP at same time

This will fix adding multiple entries to running-config as well only one backup was taken.


#show application version acs
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.6.0.22.3
Internal Build ID : B.225
Patches :
5-6-0-22-3

Instructions on how to install the patch 
=================================
1. open CLI console
2. define new repository in which the 5-6-0-22-3.tar.gpg resides
3. issue: 'acs patch install 5-6-0-22-3.tar.gpg repository YOUR_REPOSITORY'
4. verify installation by getting the following version information via CLI by issuing:

#show application version acs
Cisco ACS VERSION INFORMATION
=============================
Version : 5.6.0.22.3
Internal Build ID : B.225
Patches :
5-6-0-22-3

Instructions on how to remove the patch 
===================================
1. open CLI console
2. issue: 'acs patch remove 5-6-0-22-3'
3. verify patch removal by getting the following version information via CLI by issuing:
#show application version acs ( The version will be ACS 5.6 FCS)
Cisco ACS VERSION INFORMATION
=============================
Version : 5.6.0.22
Internal Build ID: B.225

=======================================================================
Copyright (C) 2015 Cisco Systems, Inc. All rights reserved. 
Cisco and Cisco Systems are registered trademarks of Cisco Systems,Inc., 
in the U.S. and certain other countries. All other trademarks mentioned 
in this document are the property of their respective owners.
=======================================================================