* * * READ ME * * *
           * * * Veritas Co-ordination Point Server 8.0 * * *
                         * * * Patch 1900 * * *
                         Patch Date: 2022-10-31


This document provides the following information:

   * PATCH NAME
   * OPERATING SYSTEMS SUPPORTED BY THE PATCH
   * PACKAGES AFFECTED BY THE PATCH
   * BASE PRODUCT VERSIONS FOR THE PATCH
   * SUMMARY OF INCIDENTS FIXED BY THE PATCH
   * DETAILS OF INCIDENTS FIXED BY THE PATCH
   * INSTALLATION PRE-REQUISITES
   * INSTALLING THE PATCH
   * REMOVING THE PATCH


PATCH NAME
----------
Veritas Co-ordination Point Server 8.0 Patch 1900


OPERATING SYSTEMS SUPPORTED BY THE PATCH
----------------------------------------
RHEL7 x86-64


PACKAGES AFFECTED BY THE PATCH
------------------------------
VRTScps


BASE PRODUCT VERSIONS FOR THE PATCH
-----------------------------------
   * InfoScale Availability 8.0
   * InfoScale Enterprise 8.0
   * InfoScale Storage 8.0


SUMMARY OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
Patch ID: VRTScps-8.0.0.1900
* 4091306 (4088158) Security vulnerabilities exists in Sqlite third-party components used by VCS.
Patch ID: VRTScps-8.0.0.1800
* 4073050 (4018218) Secure communication between a CP Server and a CP Client cannot be established using TLSv1.2
Patch ID: 8.0.0.1200
* 4066225 (4056666) The Error writing to database message may intermittently appear in syslogs on CP servers.


DETAILS OF INCIDENTS FIXED BY THE PATCH
---------------------------------------
This patch fixes the following incidents:

Patch ID: VRTScps-8.0.0.1900

* 4091306 (Tracking ID: 4088158)

SYMPTOM:
Security vulnerabilities exists Sqlite third-party components used by VCS.

DESCRIPTION:
VCS uses the  Sqlite third-party components in which some security vulnerability exist.

RESOLUTION:
VCS is updated to use newer versions of Sqlite third-party components in which the security vulnerabilities have been addressed.

Patch ID: VRTScps-8.0.0.1800

* 4073050 (Tracking ID: 4018218)

SYMPTOM:
Secure communication between a CP Server and a CP Client cannot be established using TLSv1.2

DESCRIPTION:
Secure communication between a CP Server and a CP Client cannot be established using TLSv1.2.

RESOLUTION:
This hotfix updates the VRTScps module so that InfoScale CP Client can establish secure communication with a CP server using TLSv1.2. However, to enable TLSv1.2 communication between the CP client and CP server after installing this hotfix, you must perform the following steps:

To configure TLSv1.2 for CP server
1. Stop the process resource that has pathname="/opt/VRTScps/bin/vxcpserv"
   # hares -offline <vxcpserv> -sys <sysname> 
2. Check that the vxcpserv daemon is stopped using the following command:
   # ps -eaf | grep "/opt/VRTScps/bin/vxcpserv"
3. When the vxcpserv daemon is stopped, edit the "/etc/vxcps_ssl.properties" file and make the following changes:
   a. Remove or comment the entry: openSSL.server.requireTLSv1 = true 
   b. Add a new entry: openSSL.server.requireTLSv1.2 = true
4. Start the process resource that has pathname="/opt/VRTScps/bin/vxcpserv"
   # hares -offline <vxcpserv> -sys <sysname>

To configure TLSv1.2 for CP Client
Edit the "/etc/vxcps_ssl.properties" file and make the following changes:
   a. Remove or comment the entry: openSSL.server.requireTLSv1 = true 
   b. Add a new entry: openSSL.server.requireTLSv1.2 = true

Patch ID: 8.0.0.1200

* 4066225 (Tracking ID: 4056666)

SYMPTOM:
The Error writing to database message may appear in syslogs intermittently on InfoScale CP servers.

DESCRIPTION:
Typically, when a coordination point server (CP server) is shared among multiple InfoScale clusters, the following messages may intermittently appear in syslogs:
CPS CRITICAL V-97-1400-501 Error writing to database! :database is locked.
These messages appear in the context of the CP server protocol handshake between the clients and the server.

RESOLUTION:
The CP server is updated so that, in addition to its other database write operations, all the ones for the CP server protocol handshake action are also synchronized.



INSTALLING THE PATCH
--------------------
Run the Installer script to automatically install the patch:
-----------------------------------------------------------
Please be noted that the installation of this P-Patch will cause downtime.

To install the patch perform the following steps on at least one node in the cluster:
1. Copy the patch cps-rhel7_x86_64-Patch-8.0.0.1900.tar.gz to /tmp
2. Untar cps-rhel7_x86_64-Patch-8.0.0.1900.tar.gz to /tmp/hf
    # mkdir /tmp/hf
    # cd /tmp/hf
    # gunzip /tmp/cps-rhel7_x86_64-Patch-8.0.0.1900.tar.gz
    # tar xf /tmp/cps-rhel7_x86_64-Patch-8.0.0.1900.tar
3. Install the hotfix(Please be noted that the installation of this P-Patch will cause downtime.)
    # pwd /tmp/hf
    # ./installVRTScps800P1900 [<host1> <host2>...]

You can also install this patch together with 8.0 base release using Install Bundles
1. Download this patch and extract it to a directory
2. Change to the Veritas InfoScale 8.0 directory and invoke the installer script
   with -patch_path option where -patch_path should point to the patch directory
    # ./installer -patch_path [<path to this patch>] [<host1> <host2>...]

Install the patch manually:
--------------------------
To install the patch perform the following steps on all nodes in theVCS cluster:
1. Stop VCS on the cluster node.
2. Install the patch.
3. Restart VCS on the node.
Stopping VCS on the cluster node
--------------------------------
To stop VCS on the cluster node:
1. Ensure that the &amp;amp;quot;/opt/VRTSvcs/bin&amp;amp;quot; directory is included in your PATH environment variable so that you can execute all the VCS commands. For more information, refer to the Veritas Cluster Server Installation Guide.
2. Verify that the base version of VRTScps is 8.0
3. Persistently freeze all the service groups:
   # haconf -makerw
   # hagrp -freeze [group] -persistent
   # haconf -dump -makero
4. Stop the cluster on all nodes. If the cluster is writable, you may close the configuration before stopping the cluster.
   On any node, run the following command to stop the cluster:
   # hastop -all -force
5. Verify that the cluster is stopped on all nodes:
   # hasys -state
6. On all nodes, make sure that both the had and hashadow processes are stopped.
7. Stop the VCS CmdServer on all nodes:
   # /opt/VRTSvcs/bin/CmdServer -stop
8. Copy the /etc/VRTSvcs/conf/config/types.cf file to
   /etc/VRTSvcs/conf/config/types.cf.orig.
9. Copy the /etc/VRTSvcs/conf/config/main.cf file to
   /etc/VRTSvcs/conf/config/main.cf.orig.

Installing the patch
--------------------
To install the patch:
1. Log in as superuser on the system where you are installing the patch.
2. Uncompress the patch that you downloaded from Veritas.
3. Change the directory to the uncompressed patch location.
4. Install the patch:
   # rpm -Uvh VRTScps-8.0.0.1900-RHEL7.x86_64.rpm

5. After the installation completes, verify that the patch is installed.
   # rpm -q VRTScps

   You will find the following output on display with the patch installed properly:
   VRTScps-8.0.0.1900-RHEL7.x86_64

Restarting VCS on the cluster node
----------------------------------
To restart VCS on the cluster node:
1. Verify the configuration:
   # hacf -verify config
2. Start the cluster services on all cluster nodes.
   First start VCS on a node
   # hastart
   On all the other nodes, start VCS by issuing the hastart command after the first node's state changes to LOCAL_BUILD or RUNNING.
3. Unfreeze all the service groups:
   # haconf -makerw
   # hagrp -unfreeze [group] -persistent
   # haconf -dump -makero
4. Start the VCS CmdServer on all nodes
   # /opt/VRTSvcs/bin/CmdServer


REMOVING THE PATCH
------------------
To uninstall the patch perform the following steps:
1. Stop VCS on the node by following the steps in the section &amp;amp;quot;Stopping VCS on the cluster node&amp;amp;quot;.
2. Stop the VCS CmdServer
    #/opt/VRTSvcs/bin/CmdServer -stop
3. Remove the patch:
   #  rpm -e VRTScps
4. After the removal completes, verify that the patch has been removed from all the system in the cluster. On each system type:
   # rpm -qa | grep VRTScps
   The package VRTScps should not be displayed, which confirms that the package is removed.
5. Install previous CPS version rpm.
6. Copy the /etc/VRTSvcs/conf/config/types.cf.orig file to /etc/VRTSvcs/conf/config/types.cf.
7. Copy the /etc/VRTSvcs/conf/config/main.cf.orig file to /etc/VRTSvcs/conf/config/main.cf.
8. Start the cluster services on all cluster nodes. First start VCS on
   one node:
   # hastart
   On all the other nodes, start VCS by issuing the hastart command after the first node's state changes to LOCAL_BUILD or RUNNING.
9. Unfreeze all the service groups:
   # haconf -makerw
   # hagrp -unfreeze [group] -persistent
   # haconf -dump -makero
10. Start the VCS CmdServer on all nodes
   # /opt/VRTSvcs/bin/CmdServer


SPECIAL INSTRUCTIONS
--------------------
Vulnerabilities Fixed :
 
Following vulnerabilities are fixed in this security SP –

CVE-2021-22925 (BDSA-2021-2151),CVE-2022-32205 (BDSA-2022-1755),BDSA-2022-0504,BDSA-2022-1130,CVE-2022-27775 (BDSA-2022-1147),BDSA-2021-0022,CVE-2021-22946 (BDSA-2021-2781),CVE-2021-22947 (BDSA-2021-2786),CVE-2021-22945 (BDSA-2021-2778),CVE-2021-22926 (BDSA-2021-2154),CVE-2022-27776 (BDSA-2022-1143),CVE-2021-22890 (BDSA-2021-0832),CVE-2022-32206 (BDSA-2022-1756),CVE-2021-22922 (BDSA-2021-2140),CVE-2022-27782 (BDSA-2022-1295),CVE-2022-32208 (BDSA-2022-1757),CVE-2021-22924 (BDSA-2021-2147),CVE-2022-27781 (BDSA-2022-1290),CVE-2021-22923 (BDSA-2021-2142),BDSA-2022-1336,CVE-2022-22576 (BDSA-2022-1142),CVE-2021-22876 (BDSA-2021-0825),CVE-2021-22897 (BDSA-2021-1595),CVE-2021-22898 (BDSA-2021-1586),BDSA-2022-1120,CVE-2022-35252 (BDSA-2022-2385),CVE-2022-27774 (BDSA-2022-1145),CVE-2022-32207 (BDSA-2022-1758),CVE-2022-35737 (BDSA-2022-2151),CVE-2021-20223 (BDSA-2020-4786),BDSA-2021-2585


OTHERS
------
NONE