I still never had a 'corrupted' message.
But it may help to stop One-X Portal service before uploading files.
I had best results when doing it in this order:
- upload all the files, wail a moment
- update Webcontrol. Need to login again.
- Ignore if it still show as being on the old version.
- 'update all' with the respective button in one go.
- reboot, check if all good.
Deploying critical patch on Server Edition and Application Server
Please follow the exact sequence mentioned below.
Login to Web Control Panel.
Navigate to the ‘Settings->General’ and upload the RPM using ‘Applications’ options.
Navigate to the ‘Updates’ tab.
Apply the patch to ‘webcontrol’ service using the RPM provided for Sever Edition.
Apply the patch to ‘one-X Portal’ service.
Apply the patch to ‘Web Collaboration’ service.
Apply the patch to ‘WebRTC Gateway’ service.
Apply the patch to ‘Media Manager’ service.
Verify the versions in services tab of Web Control Panel match the artifact versions.
I have patched our Lab IPOSE as well as a customer now, I updated the RPMs in no particular order (I didn't read about the specific order), and while I got some errors about corrupted RPMs I just kept uploading them again and trying again, eventually it went through and updated all the packages.
So my advice for anyone getting 'corrupted rpm' messages, just keep re-uploading and trying again. I used Chrome.
Cheers,
BFG9K
Avaya IPO/ACCS Technician
Melbourne, Australia
I will apologize in advance of this question but am a bit confused as to the files that are contained in the 11.1.2 patch folder.
The RPM files are self explanatory and are loaded using web page and application button.
But there appears to be 2 checksum files that I am an not sure what to do with them and nothing in release notes that I can find.
AvayaOneXdesktopclients_11.1.2001.90.exe.SHA256
onexportal-11.1.2001-90.RPM.SHA256
There is another file onexportal-11.1.2001-90.RPM which I assume is the one to load.
But there is no other AvayaOneXdesktopclients_11.1.2001.90.exe
So I am confused as to which files need to be uploaded.
Just upload all of them.
The small *.SHA256 files may be needed or not, but they are uploaded in milliseconds, so just do it.
The AvayaOneXdesktopclients_11.1.2001.90.exe will match the version of oneX portal and is then available to download from the 1XP.
good to know, thanks Albus2
I have to say I have not done patches on Linux in ages so I was also unsure.
But at least they have added the download now to the site.
The SHA256 files are literally just SHA256 sums for the files, if you open them in notepad you will get a string, it should match the SHA256 hash for each of the files.
They're hashfiles, and you should be comparing them to the file hashes to make sure they haven't been corrupted.
Cheers,
BFG9K
Avaya IPO/ACCS Technician
Melbourne, Australia
To answer my comment above about 'GroGroundhog Day'.
There are several options to fix the initial problem:
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
[ul]
[li]Java 8 (or later) users should upgrade to release 2.16.0 (now 2.17).[/li]
[li]Java 7 user should upgrade to release 2.12.2 (now 2.12.3).[/li]
[li]Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class[/li]
[/ul]
Avaya did upgrade to 2.16 but also remove the JndiLookup class.
If I understand correctly, they are not exposed to CVE-2021-45105 because of this.
In addition, the issue which is solved by 2.17 is 'only' a DOS (Denial of Service) attack. The initial problem was a RCE (Remote Code Execution).
But is this file only provided to us for verifying the download?
They could also just have this info on the download page. I do check large downloads when this information is available.
Or is it also used by the system itself?
Anyway, why are only some of them available and not all?
I don't know. However, it only takes a second to upload them, so unless someone explains it, I will upload them.
Sorry if this has been addressed above, I have skimmed through and couldn't see it.
We have a customer on R11 with a Windows Server installation of One-X Portal. We have upgraded them to the latest R11 version, and run the Log4j patch, but when they do a search of the C drive for Log4j they still see version 2.12.1, which is one of the vulnerable versions. Do you know what this patch is designed to do? Should it have been upgraded to a none affected version (2.17.0 I believe), or have they nullified the vulnerability in some other way?
I need to reassure the customer that the patch has resolved the vulnerability.
Am I reading this correctly, that to patch the IPO, it has to be on release R11.1 Feature Pack 2? Meaning most my customers would have to be ungraded first?
Also: "Apply the patch to ‘one-X Portal’ service." - The file incudes two versions? Is one or the other used? Both used?
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.