Page tree
Skip to end of metadata
Go to start of metadata

FireMon Lumeta is pleased to announce the general availability of Lumeta 3.3.2.2, a micro-release that updates the Lumeta system databases. This release is recommended for all Lumeta users.

Upgrading to Lumeta 3.3.2.2
Upgrade PathUpgrade Package
From_Release           

To_Release

3.3.2/3.3.2.1 Command Center

3.3.2.2 Command Center

Lumeta 3.3.2.2 upgrade

md5sum spectre_update-3.3.2.2.13174-20190220.tgz:
60f299c426f3f1c36cbcea3af0732b0a  spectre_update-3.3.2.2.13174-20190220.tgz


3.3.2/3.3.2.1 Scout

3.3.2.2 Scout

3.3.2/3.3.2.1 Portal

3.3.2.2 Portal

Compatibility

Please be advised that Lumeta 3.3.2.2 Command Centers are not backward-compatible with 3.3.2, 3.3.2.1 and older Scouts. Be sure to upgrade your Scouts to 3.3.2.2.

Upgrade Process

During an upgrade, please be aware that these items are purged from the Lumeta database:

  • All certificates
  • Orphaned attributes (i.e., those not associated with any device)

Release 3.3.2.2 Enhancements

Certificate Reporting
  1. Added support for processing certificate chains
  2. Certificates are aged-out (i.e., removed from the database) after 48 hours of non-activity
  3. Added support to process certificate data that has been received on multiple ports
  4. Three new columns have been added to the "zone.certificate table" table: "chainid", "chainorder" and "port"


  5. The "cert" reports have been updated to include this data:



  6. Reports containing records on multiple devices will include the Chain Order of the certificates on them. A chair order of "0" means that the certificate is at the bottom of the certificate chain and it's the host certificate, which is the certificate most specific to that server.


System Health
Added product instrumentation to track system DB health relating to bloat and vacuum. See Database Health for more information.


Duplicate MAC Processing

Added support for duplicate MAC addresses. These no longer cause hosts to be erroneously discarded.


Fixed Issues

The following issues reported by customers have been fixed. 


IssueCase ID
1

The zone.updatetargetspace_log contains no entries, but individual zones like zone_0002.updatetargetspace_log do contain entries. Entries from individual zones will need to be made to roll up to the master log.

PO-9389
2New password control settings restrict how often users can change their passwords. See Password Controls in Spectre 3.3.2+ for details. The "minimum days" condition and the override of it have been fixed. PO-8695
3

Child devices no longer remain Active when the last observed is past the data expiration date

PO-9183
4

Empty columns and references to interfaces were removed from some database tables

PO-8663
SF-74088
5Added support for the update_target stored procedurePO-9302
6When the physical address of a switch changed after Lumeta had scanned it and saved it to the database, the associated table entry was not being properly updated. This caused a log entry error "Could not find ip to associate iftable data." The error has been corrected and the error message no longer displays.  PO-9283
7In Zones Collector drop list, the text has been made visible.
PO-9300
SF-74589
8

Discrepancies between summary logs (zone.updatetargetspace_log) and individual zone logs (zone_0002.updatetargetspace_log) have been corrected.

PO-9389
9

Lumeta can now identify the port on which a certificate responded

ZN-1439

10

Uncalculated columns have been removed from device_values

PO-8663
SF-74088
11

Device with certificate chain only displays one certificate

ZN-1435

12

Certificate Subject incorrect

ZN-1437
13The asset group within Qualys is being populated with the correct IP count.
14Lumeta won’t ingest interface data about any device in a zone that lacks an interface address in the Target ListPO-9512

Known Issues

We'll make you aware of any known issues and the work-arounds here.


Lumeta 3.3.2.2 Known IssuesCase ID
1Lumeta does not ingest "Host" (MAC/IP) or "Switchinfo" "Host" (MAC/VLAN) data from interfaces without a layer-3 address. Examples in red type.

 "ip" : "10.9.0.28"

    } ],

    "switchInfo" : {

          "port" : 106,

      "hosts" : [ "9c:b6:54:9e:22:49", "02:e0:52:0f:57:62", "00:24:e8:93:86:24" ],

          "bridge" : "54:75:D0:19:4B:00"

PO-9451
2SQL entries in the log to be analyzed and remediated.PO-9281
3Portal only:  Portal upgrade must be performed from CLI; the upgrade from GUI is not working.PO-9569
4

Datacontroller service is not for use by customers and will be removed in an upcoming release.

PO-9637
5In Reports > Browse Historical > View, reports exported to CSV produce CSV files that lack data in the columns. Only the row with column headings displays. PO-8834
6The All Devices scheduled report does not display in the Browse Historical Reports section after filters are set and cleared by the user.PO-9402
7

When an IP is in both the Eligible List and the Avoid List, the Avoid List must always dictate behavior. The system does not always adhere to this policy.

PO-9114
8Connection to McAfee DXL fails due to expired certificate. See DXL Setup for Lumeta Spectre 3.3.2.2 for workaround procedure.PO-8798
9The upgrade to 3.3.2.2 will clear certificates but will not clear the device profiles for certificates.PO-9677
10Mismatch between the count shown on some reports and count shown on click-through to report's details

 PO-2698


Security Updates

Lumeta 3.3.2 resolves Common Vulnerabilities & Exposures (CVEs) and incorporates a variety of security-related (and non-security-related) enhancements. A list of CVEs resolved in this 3.3.2.2 release will be made available here post-GA. 

Change Log

Following are the changes made in preparation for this Lumeta 3.3.2.2 release. This information was refreshed at GA on 5/20/2019. 

Epic

PO-9010 - Product instrumentation to track Bloat

PO-9140 - Support Certificate reporting in Spectre

Bug

PO-4734 - Downloading Cyber-threat Zombie Devices drill down widget report gives you Failed-Forbidden error

PO-8646 - Entries for a collector seen in target table for credential that is not configured for that collector

PO-8663 - Remove columns from device_values that are not being calculated

PO-8869 - The file /var/log/performance-data/java.txt is not being rotated

PO-8877 - Target Updater did not run on Zone 2 today because of a deadlock

PO-9013 - Certificate Subject incorrect

PO-9014 - Device with certificate chain only displays one certificate

PO-9101 - Zone.device_certificate mapping table is missing device-certificate mappings

PO-9183 - Child devices remain Active even though the lastobserved is past the data expiration date

PO-9193 - Existing certificates aren't deleted when certificates in the device response change

PO-9223 - https://<spectre_system>/map/data/ accessible without authentication

PO-9283 - Could not find ip to associate iftable data

PO-9300 - In Zones Collector drop list, the text is not visible. Due to grey text over grey background

PO-9356 - Performance dashboard showing negative avg processing time

PO-9367 - Delete device certificate data as part of upgrade 3.3.2.2

PO-9368 - Port PO-9303 to 3.3.2-maintenance

PO-9389 - zone.updatetargetspace_log contains no entries, but individual zones like zone_0002.updatetargetspace_log does.

PO-9403 - Right Click on Menu open in a new tab is missing (3.3.2.2

PO-9431 - Canned reports missing attributes - app crashes with endless spinner when editing widget settings

PO-9449 - Interface Counts and Details differ from data in device files

PO-9491 - 3.3.2.2 upgrade is deleting all attributes not just orphaned attributes

PO-9492 - Scan all responsive HTTP / HTTPS ports when HTTP/HTTPS profiling is enabled

PO-9498 - No need to run orphan cert clean up as part of 3.3.2.2 upgrade

PO-9503 - Port missing from certificate report click through

PO-9507 - Orphan attribute deletion during upgrade to 3.3.2.2 is very slow

PO-9516 - CLI delete orphan command speed up

PO-9527 - Performance benchmarking degradation after upgrading to 3.3.2.2

PO-9538 - Certificates from older (pre 3.3.2.2) scouts are being ingested into database

PO-9592 - Completion time of the update target processing is different in the updatetargetspace_log table compared to the log file

PO-9611 - PKI user cannot login after upgrade from 3.3.2.1 to 3.3.2.2

PO-9616 - Attribute expiration not taking into account custom and system attributes

Story

PO-7880 - remove 2 unnecessary luks pkgs, not needed

PO-8811 - Create table for Reject/Special Addresses

PO-9062 - Implement allowing duplicate MAC addresses

PO-9063 - Change DatabaseMaintainer to pass in flag for update target that runs nightly vs. the one that runs as part of updating collector

PO-9151 - Java side code changes for allowing duplicate MAC addresses (PO-9062)

PO-9153 - Query code changes for allowing duplicate MAC addresses (PO-9062) and implement timeout

PO-9226 - configure nightly build of upgrade to 3.3.2.2

PO-9242 - Security updates for 3.3.2.2

PO-9285 - CLI command to delete orphans

PO-9302 - Add changes to update target that came from 3.3.2.2 requirement review meeting

PO-9414 - CLONE - STIG modify /dev/shm mount options

PO-9426 - Current upgrade to 3.3.2 does not run all data dictionary sqls

PO-9447 - Make sure Copyright is set to 2019 for 3.3.2.2

PO-9450 - check the upgrade build status for errors

Improvement

PO-8896 - Delete orphans as part of upgrade

PO-9011 - Identify the port that a certificate responded on

PO-9012 - Certificate expiration from the Database (Device Retention)

PO-9206 - Set correct version

PO-9224 - Remove map test data

PO-9466 - Change column order to help database compare script not fail on it

PO-9513 - MAC Prefixes to add to the MAC Vendor Table

 

  • No labels