SpectroSERVER crash post-upgrade to 20.2.7 in Qualys security scan

book

Article ID: 210823

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We have recently upgrade Spectrum to 20.2.7. Twice since we observed SS down for both Primary and Secondary.  The timings of both crashes coincide with our Qualys security scan.

The below message was observed in VNM.OUT

Mar 06 23:46:38 ERROR at CsCifFrn.cc(1225): Connection Interface Versions Incompatible
Version for this applications is: 2  Foreign application does not have a version number.
Mar 06 23:46:44 ERROR at CsCifFrn.cc(1225): Connection Interface Versions Incompatible
Version for this applications is: 2  Foreign application does not have a version number.

Stack output from core file:

Core was generated by `/opt/CA/Spectrum/SS/SpectroSERVER'.
Program terminated with signal 11, Segmentation fault.

#0  0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x00007f3245b12119 in zlib_stateful_init () from /opt/SPECTRUM/lib/libGlobl.so.1
#2  0x00007f31cc694098 in COMP_CTX_new () from /opt/SPECTRUM/lib/libvbsec64.so
#3  0x00007f31cc679abd in tls1_change_cipher_state () from /opt/SPECTRUM/lib/libvbsec64.so
#4  0x00007f31cc66b434 in ssl3_do_change_cipher_spec () from /opt/SPECTRUM/lib/libvbsec64.so
#5  0x00007f31cc66d123 in ssl3_read_bytes () from /opt/SPECTRUM/lib/libvbsec64.so
#6  0x00007f31cc66da91 in ssl3_get_message () from /opt/SPECTRUM/lib/libvbsec64.so
#7  0x00007f31cc66ddfd in ssl3_get_finished () from /opt/SPECTRUM/lib/libvbsec64.so
#8  0x00007f31cc6610b1 in ssl3_accept () from /opt/SPECTRUM/lib/libvbsec64.so
#9  0x00007f31cc59d402 in mFt_Cryptlib_SSL_accept () from /opt/SPECTRUM/lib/libvbsec64.so
#10 0x00007f31cc59321c in vbsec::VBSSLEngine::handshake() () from /opt/SPECTRUM/lib/libvbsec64.so
#11 0x00007f31cc470ebc in vbsec::SSLConnection::doHandshake() () from /opt/SPECTRUM/lib/libvbsec64.so
#12 0x00007f31cc450115 in vbsec::CSIV2Listener::accept(unsigned long long) () from /opt/SPECTRUM/lib/libvbsec64.so
#13 0x00007f3243023fd4 in VISSocketMTSCM::begin() () from /opt/SPECTRUM/lib/liborbcore64_r.so.8.0
#14 0x00007f32429fbf13 in VISThread::_start(void*) () from /opt/SPECTRUM/lib/libvport64_r.so
#15 0x00007f3241b93ea5 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f32418bc96d in clone () from /lib64/libc.so.6

Cause

Crash observed in Qualys security scan in OpenSSL zlib_stateful_init API

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Resolution

10.04.03.D131 was built for this crash.  Please contact support to request a copy.

REQUIREMENTS

SPECTRUM 10.04.03 is the prerequisites for installation of this patch.

This patch needs to be installed on SpectroSERVER.

OVERVIEW 

This is a Debug patch for the following issue:

DE496191 Details:
SpectroServer Down on Weekend post upgrade to 20.2.7  
Symptom : Crash observed in Qualys security scan in OpenSSL zlib_stateful_init API.
Resolution: zlib_stateful_init method is part of OpenSSL in the case of OpenSSL build with zlib.Re-built OpenSSL without zlib.
(DE496191, 32588563)

 

BILL OF MATERIALS

ReleaseNote.D131.txt 
runme (Linux)
uninstall_D131.pl (Linux)
libGlobl.so.1 (Linux)


runme.exe (Windows)
uninstall_D131.exe (Windows)
libGlobl.dll (Windows)