ERM release notes

Security upgrade 2024-07-09 of SSH server in Proxy Client-component to address CVE-2024-6387

A security upgrade for ERM that addresses CVE-2024-6387 is available.

For customers on version 2.0.1

The update should be deployed via the ERM Installer:

1. Select the Enhanced Room Management product.
2. Enable the Install available bugfix/security updates for services option.
3. Select Deploy changes.

See Using the ERM Installer to install and upgrade components for more information on upgrading ERM.

Note that the ERM Installer itself is not vulnerable to CVE-2024-6387.

Mitigation for older versions

The mitigation for older versions (prior to v2.0.1) is to disable the Proxy service in the ERM Installer and redeploy, however we recommend upgrading to v2.0.1 as soon as practicable.

To disable the Proxy service:

1. Select Configure for the Enhanced Room Management product.
2. Within Other settings, select Disable proxy service and Save your changes.
3. Select Deploy changes.

Version 2.0.1

Added

General

• Add support to export status reports to Excel.
• Add API-endpoint to export all system warnings to Excel /json-api/v1/endpoint/export_warnings/.
• Add bulk delete-support to organization tree editor.
• Add support to bulk-provision task that removes all "configuration differs"-warnings.
• Add support to restore deleted systems using backend admin.
• Add support to remove all existing address book items when importing an Excel file.

Poly

• Add support for X-Series v4.1.x and v4.2.x firmware.
• Add support for NTLM-auth to LDAP directory to enable Poly Group + HDX search when having provisioning server configured.
• Add support to download Poly addressbook as importable XML-files.
• Add support for Group and X-Series call status events.
• Add support to import Group backup file format in Provisioning tab.

Fixed

General

• Fix docker healthcheck interval to mark services as up earlier.
• Fix saving backups if system name is over 30 characters.
• Fix removing last digit of Integer-based configuration values, without it resetting to previous value.
• Redo firmware model matching in form if re-uploading new file.
• Fix exporting multiple endpoints (500+) when length of all IDs exceeds 4000 characters.
• Don’t add duplicate rows for firmware uploads for models matching multiple system IDs in filename.
• Update status of bulk created endpoints in background instead of blocking response.
• Log system bulk create/update/delete actions.
• Unpack Room control panels in uploaded zip files.
• Fix API field definitions for some API endpoints.
• Fix scheduled housekeeper cleanup of endpoint provisioning tasks.
• Limit number of keep-alive connections to video systems.
• Don't import already existing address book items from the Excel file.
• Stop displaying address book source errors in JSON format.
• Fix copy button for the addressbook URL in info dialog.
• Fix removing firmware object from list if file has been deleted manually on server.
• Fix recurring retry if trying to provision macros to systems without support.

Cisco

• Fix Cisco provisioning of branding files.
• Fix Cisco macro runtime restart during provisioning.
• Fix Cisco addressbook provisioning for passive systems.
• Upgrade background task engine for some stability improvements.
• Fix storing provisioning result text.
• Fix re-enabling failed feedback event slot. Schedule it in background instead of doing it directly.
• Always try standard passwords in order.
• Fix system ID-filter if reloading browser with system debug-view visible.
• Include mac address and serial number in the global search of systems.
• Allow searching for hidden columns in the system list.

Poly

• Fix double unpacking of Poly firmware — was both upload root and subdirectory.
• Fix repeat provisioning when using direct connection.
• Fix input widget types for HDX IP-based settings.
• Fix deletion of unpacked firmware files.
• Fix verifying software version upgrade.
• Fix extracting software version from passive systems.
• Fix extracting changed IP-address from Group-systems.
• Fix chained provisioning for systems without populated IP-address.
• Stop displaying chained provisioning username for Group + HDX when disabling chained provisioning setting.
• Fix force-mode when upgrading Studio X and Trio firmware.
• Reset target firmware if upgrade-task is canceled.
• Fix escaping some XML-tags when passing along chained provisioning settings to system.

Security

• Upgrade OpenSSH server for proxy client tunnel.
• Add support to disable password login (LDAP/local database depending on configuration) when using SAML. Note: also disables basic auth to API.
• Upgrade pillow, libncursesw6, libpq-dev, libpq5, libtinfo6, ncurses-base, ncurses-bin, setuptools, moment.
• Related CVEs: CVE-2023-4863, CVE-2021-39537, CVE-2023-29491, CVE-2023-5869, CVE-2022-40897.
• Fix information leakage issue where some autogenerated widgets in API-documentation did not apply tenant filter in multi-tenant installations before displaying names of available objects.

Changed

General

• Ignore more status values to decrease number of versions stored in Endpoint status file history.
• Re-enable HttpFeedback-slot even if default slot number has been changed in settings.
• Increase max file size for uploaded firmware files.
• Stop firmware upload if free disk space is running low.
• Allow creating firmware file objects using API without specifying file.
• Hide password fields in form when changing existing systems, until user has checked to change password.
• Log endpoint status changes to console log.
• Add notice about user permissions to backend admin.
• Include customer name in Excel export filename.
• Process endpoint tasks and CDR events in separate background task workers to improve responsiveness.
• Check database index status on service startup
• Try to connect to at most 3 LDAP servers from SRV, ordered by priority. Log resolved addresses.
• Log information if *ldaps.*tcp SRV-pointer is missing but LDAPS is configured.
• Don't try to do SRV-lookup if LDAP server is entered using IP-address.
• Include information about the related objects in the audit log. Update action/scope names.
• Remove some unnecessary information from login view initialization for unauthenticated users.
• Improved formatting of errors messages, including removal of some JSON-based formatting.
• Increase default connect timeout to increase change of successful connection in networks with TCP SYN connection-issues (e.g. VPN).
• Abort form submission if trying to add a system that has duplicate MAC-address/serial number.

Poly

• Provision LDAP NTLM authentication settings as well as Basic to Poly X-series, Group + HDX.
• Don’t set Poly firmware update task as finished until new firmware version matches version reported by system.
• Display only supported values by default for passive Group + HDX-systems
• Add additional information-messages about unsupported actions depending on connection mode.
• Disable TLS-connection to LDAP for HDX-systems.
• Use HTTPS proxy-settings for chained provisioning server.
• Pass real firmware version to chained provisioning server.

Version 2.0.0

Note that all new installations of ERM are now deployed with a 200 GB disk. For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Added

• Polycom support for Trio, HDX, Group and Studio X.
• Welcome message for new installations.
• Support for automatic upgrade to target firmware version.
• New system defaults templates view to configure base settings to specific models.
• New firmware overview showing conflicts to models firmware target version.
• Provision base settings from the system provisioning tab.
• "View provisioning settings" on the system dashboard and provisioning tab.
• Import configurations via text or file.
• Compare configurations to the latest provisioning, base configuration, templates or other system.
• Text import option for commands and configurations in the system provisioning tab.
• Support for updating existing configuration and command templates.
• Better notification about license device limits.
• Auto-detecting product type when adding new devices.
• Display warnings on dashboard if background server is down or delayed.
• Add support to send DTMF tones from system call control for Cisco systems.
• Add support to save inventory ID, service tags and notes in edit form.
• Add support to save metadata to be used by external systems.
• Add serial number and email address to bulk import form.

Fixed

• Fix manually adding call statistics server in backend admin.
• Only use temporary subfolder on filesystem for uploaded firmware, and revert to memory storage of other temporary files to prevent increasing data build-up. Old files will be automatically removed.
• Fix dates in Excel call statistics export filename.
• Fix updating SIP display-name for Cisco TC-systems.
• Update last check timestamp in case if system is in authentication error-state.
• Mark endpoints value as not required in statistics API-endpoint.
• Redact some extra possible password/private key formats from queue information and trace log.
• Fix updating dial info for Webex systems.
• Fix indicators for room analysis in provision tab.

Security

• Check if user is valid in LDAP database every 10 minutes.
• Lower session cookie expiration value.

Changed

• General performance improvements.
• Icon for external manager service in the system list.
• Message to manually add provisioning settings if not found in the system provisioning tab.
• Improved notifications in the system provisioning tab.
• Fixed input widths in bulk import form.
• Sort system list with title as default.
• Redirect 404 systems to the system list.
• Show the created date in approve new systems list.
• Better notifications in provisioning dialog when multiple systems are selected.
• Better validation and error handling in upload firmware dialog.
• Better validation and error handling in statistics filter form.
• Better validation and error handling in head count filter form.
• Automatically switch to review tab in the system provisioning tab when loading configurations or commands.
• Better loading template indicator in the system provisioning tab.
• Add required to template name in save new template dialog.
• Reset initial values in template picker when closing dialog.
• Update the firmware list after updating an existing entry.
• Better support of Booleans in argument input.
• Reset group title when adding new address book group.
• Better support for the "home" button in sub-views.
• Settings view split into different tabs.
• System default settings moved to Admin > System default.
• Include manual installation instructions for address book configuration.
• Always enable changing volume from the system dashboard.
• Always allow mute/unmute from the system dashboard.
• Ignore empty values on select all configurations.
• Change the queue insight widget on the main dashboard to display pending and queued actions.
• Only show 3 system warnings and errors on the system dashboard, with the option to show all.
• Always scroll the page to the top when changing the route.
• Use manufacturer and model name for systems without title.
• Show alert for inactivity after 5 minutes in call control.
• Simplified system dashboard for systems without manufacturer.
• Added a "Retrieve call history" button to the system dashboard instead of automatically loading.
• Edit and remove buttons enabled on the system dashboard even if the system is not fully loaded.
• Check all HttpFeedbackEvent-slots for Failed-status.
• Reset queued task status after 20 minutes (instead of 60 minutes).
• Cancel queued tasks belonging to deleted systems.
• Use H.323 gatekeeper password for Pexip endpoints.
• Allow exporting call statistics report as excel using API-authentication.
• Use correct widgets for ID-fields in API example-forms.
• Try to provision large macros without "Transpile: yes" if it looks to be transpiled already.
• Try to activate provisioned macros again after at least 10 seconds if Macro runtime was unresponsive.
• Reset form fields after adding new address book group.
• Reset form fields after adding new address book sync-source.
• Change all reports to XML-based Excel format, resize columns to better fit width, change to time-based format for durations.
• Add a summary sheet to Excel call report.
• Warn about low disk space when there is less than 20 GB of free space.
• Try to display correct fields when navigating to a single API view using the web browser.
• Stop displaying the load indicator when enough data is available.
• Display error-messages if any information fails to load.
• Don't display call history until button is pushed.
• Reset online status for systems with in call-status after 4 hours without feedback.
• Allow changing serial number.
• Add help texts to the room analysis report form.
• Reset firmware form when pressing cancel.
• Display call history in correct timezone.
• Change edit address book tab labels.
• Log LDAP user attributes if customer matching is enabled, but no fields did match.
• Match permission flags using LDAP parent group as well as exact DN.
• Group large clusters in dashboard widgets.
• Update provider status in background.
• Use a more visible popup to remind about license expiry.
• Resize columns in Excel exports.
• Disable calendar bookings in passive mode if using RoomOS 10.19.x - firmware bug causes system crash.
• Include the number of seats in system Excel export.
• Limit number of incoming endpoints from a single IP.
• Separate warning for changed system name and SIP/H.323 info.
• Add column with name of endpoint in statistics debug export.

Version 1.1.1

Added

• Add API endpoint to export all active warnings to excel file `/json-api/v1/endpoint/export_warnings/`.

Fixed

• Fix error/warning message handling for provisioning tasks that made all errors display as ModuleNotFound.
• Fix removing last digit from configuration/command text inputs without clearing selection.
• Remove additional "s" that was added when selecting items for Status-report.
• Add handling for "command not found"-responses.

Security

• Upgrade certifi and reportlab.
• Related CVEs: CVE-2023-37920, CVE-2023-33733.

Changed

• Reset queued provisioning tasks that have not been able to run for 20 minutes, to give priority to systems that are online.
• Display note about minimum firmware requirements to install .cop.sha512 images.
• Ignore redacted values (e.g. passwords) when selecting all configurations.
• Display notice in backup view about missing passwords.
• Display notice in address book view about manual groups.
• Display notice if trying to change password for (unsupported) passive systems.

Version 1.1.0

Added

• Add support to upgrade Cisco devices with SHA512 Cisco firmware.
• Display system name and direct links in call statistics page.
• Display systems without any call data during the report time period in Excel export. Add API-endpoint to extract the same list.
• Include personal email-address in system Excel export.

Fixed

• Fix indicator for room analytics status in provisioning dialog.
• Set timeout value for TMS sync API-requests. Improved handling for failed requests.
• Reset error messages in call statistics-view on new form submission.
• Convert call history timestamps to local time on system details page.
• Reset "in call"-status for inactive systems.
• Fix provision status indicator in case of failed response.

Security

• Fix ACL check that allowed non-authenticated users to initiate page requests waiting on external API calls.
• Mitigations for older versions: Block access to /setup/* after initialization (automatically added in Installer load balancer after re-deploy).
• Upgrade cryptography certifi, django-environment, libcrypto1.1, libssl1.1, paramiko, pyopenssl, redis, sentry-sdk, sqlparse, urllib3.
• Related CVEs: CVE-2022-23491, CVE-2022-23491, CVE-2022-24302, CVE-2022-24302, CVE-2023-0286, CVE-2023-0286, CVE-2023-23931, CVE-2023-23931, CVE-2023-28117, CVE-2023-28117, CVE-2023-28858, CVE-2023-28858, CVE-2023-28859, CVE-2023-28859.
• Lower session expiration to 5 days of inactivity.
• Automatically log out users if relevant LDAP-account has been disabled.

Changed

• Stop auto-reloading system details page after 10 minutes of inactivity.
• Allow case-insensitive search of participants in call statistics-report.
• Allow exporting call statistics using API-authentication (Basic Auth).

Version 1.0.9

Added

• Add separate field for required LDAP-group for normal users.
• Add support to force restart of services in log view.
• Display disk space warnings on dashboard.
• Display available Installer/VM-upgrades on dashboard.
• Display if reboot is necessary on dashboard.
• Add support for SAML login. See `/saml/metadata/` for SP metadata.
• Allow specifying specific Installer version when upgrading from command line.
• Add support to display syslog in web-UI.
• Resolve LDAP servers in network tools test. Try to verify SSL-connection.
• Add support for filtering log with until-filter.
• Add support to configure remote syslog server from onboarding wizard.
• Pass information about necessary reboot, free disk space to Installer.

Fixed

• Fix updating component reference if converting between licensed products.
• Keep currently installed component version in version select-box if it has been removed from global list.
• Don't display certificates belonging to non-deployed components as active.
• Fix update of overwritten dev-versions during deploy in offline mode.
• Fix quoting of special characters in HTTP(S) Proxy authentication.
• Fix system logs rotation-timer.
• Fix setting static routes on second NIC if routes is configured later.
• Fix syntax of AD LDAP filter example in network tools.
• Fix unnecessary restarts of Installer-component.
• Fix resetting fallback user password using sudo cli component passwd.

Security

• Upgrade bind9-host, bind9-libs, bsdutils, cpio, curl, eject, fdisk, grub-common, grub-efi-amd64-bin, grub-pc, grub-pc-bin, grub2-common, hyperv-daemons, libblkid1, libc-bin, libc-l10n, libc6, libcurl4, libfdisk1, libglib2.0-0, libjson-c5, libmount1, libncurses6, libncursesw6, libnghttp2-14, libsmartcols1, libtinfo6, libuuid1, libuv1, linux-image-5.10.0-24-cloud-amd64, linux-image-cloud-amd64, locales, mount, ncurses-base, ncurses-bin, open-vm-tools, openssh-client, openssh-server, openssh-sftp-server, perl-base, qemu-guest-agent, runc, util-linux, util-linux-locales
• Related CVEs: CVE-2023-44487, CVE-2023-51385, CVE-2021-41617, CVE-2023-46695, CVE-2021-32292, CVE-2021-38185, CVE-2022-39189, CVE-2023-1989, CVE-2023-20900, CVE-2023-2156, CVE-2023-29491, CVE-2023-3090, CVE-2023-31248, CVE-2023-3268, CVE-2023-3341, CVE-2023-3354, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001, CVE-2023-35788, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3776, CVE-2023-3777, CVE-2023-38408, CVE-2023-4004, CVE-2023-40283, CVE-2023-4128, CVE-2023-4147, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-42753, CVE-2023-4622, CVE-2023-4623, CVE-2023-4911, CVE-2023-4921, CVE-2023-38325, CVE-2023-37920, CVE-2024-24806.

Changed

• Automatically retry installation if dockerd times out.
• Display additional disclaimer about LDAP user access.
• Split CA certificates to multiple rows during import. Don't import duplicates.
• Try to add missing CA-certificates to certificate chain if missing from component certificate file.
• Remove name-field from CA import form. Automatically use subject.
• Compress logs the first rotation.
• Change default LDAP filter to not include disabled users when using AD.
• Use license key from uploaded file if both textarea and file is provided at the same time.
• Automatically remove newline and spaces from license key before validation.
• Use streaming console output for long-lasting commands.
• Change console log-format.
• Refresh session expiry on each request.
• Include extra information about running services in log output.
• Use logrotate for auditd-logs.
• Limit redundant journald-log size.

Version 1.0.8

Changed

• All new installations of ERM are now deployed with a 200 GB disk.

  For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Version 1.0.7

Added

• Support for Hyper-V 2016 and later environments.
• Add support to enable external database from license file.
• Add support to importing and converting binary certificates (beta).
• Add support to export private keys with encryption, and importing encrypted keys.
• Add support for external redis server.
• Add support for enabling LDAP referral chasing.
• Add support to lookup LDAP servers using SRV records.
• Add more inline documentation for LDAP-settings.
• Mark certificates in use in lists.
• Add field for validating SSL handshake against remote port using network tools.
• Validation of database and LDAP settings when saving configuration.
• Display information about last component metadata refresh time and add link to force refresh.

Fixed

• Clear certificate existing CA chain when updating public key.
• Fix TLS validation for LDAP test connection.
• Validate line before removing volumes.
• Fix version ordering for x.y.z-dev builds.
• Fix permission to run ping in network tools.
• Fix certificate chain warnings if CA lacks common name information.
• Reset offline mode if online license validation was successful.
• Increase length of LDAP filter.
• Remove warning in load balancer logs about SNI host.
• Stop validating values in optional forms marked for deletion.
• Fix offline export if "check for update"-checkbox is not set.
• Fix offline export if any components are marked for uninstallation.
• Remove console log warnings about HostSNI.
• Fix installing multiple ERM on the same VM without getting 500 error.
• Fix home link from product details view.
• Lock postgres version for LDAPAdmin deployed with old version of deploy file.
• Stop re-deploying load balancer on installer upgrade if not necessary.
• Remove warning about missing volumes when removing component.
• Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (").

Security

• Upgrade django, openssl, libssl1.1, sqlite3.
• Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778.
• Limit system permissions for load balancer container, run more services with read only root file system.

Changed

• Only display first certificate chain warning, hide warning if three or more certificates are included.
• Increase log verbosity for LDAP tests.
• Set LDAP connection timeout.
• List any unknown/not fully uninstalled container services.
• Add pagination and search to certificate lists.
• Use direct API for fetching service logs instead of subprocesses for better performance.
• Escape special characters in authentication to external services.
• Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime.
• Increase number of workers for each component based on available memory.
• Always try to start Installer based on script from the currently running version when using other than the official latest version.
• Remove letsencrypt option from certificate.

ERM OS

Added

• Add CLI command ("cli") with support to, among other things, reset passwords and dump database content.
• Allow ICMP echo requests ("ping").
• Allow overriding DNS when using DHCP.
• Install traceroute.
• Add support for EFI and Secure Boot (beta, new VM installations only).

Fixed

• Fix host security update files when upgrading system using offline bundle.
• Set static routes after all interfaces are up.
• Install systemd-timesyncd if the initial VM version did not include it.
• Fix returning to menu after setting hostname.

Security

• Upgrade host packages for bind9-libs, curl, dpkg, grub-common, grub-pc, grub2, hyperv-daemons, libc-bin, libexpat1, libssl1.1, libtasn1-6, libxml2, linux-image-cloud-amd64, linux-image-cloud-amd64 bind9-host, openssl, qemu-guest-agent, rsyslog, zlib1g.
• Related CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2021-46848, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2601, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-3775, CVE-2022-38177, CVE-2022-38178, CVE-2022-40303, CVE-2022-40304, CVE-2022-40674, CVE-2022-41222, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519, CVE-2018-13405.

Changed

• Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout.
• Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically.
• Discard some recurring kernel log messages about virtual container network interfaces.
• Allow more userdata in cloud-init config.
• Rotate log files more often.
• Increase log file partition size (for new VMs).
• Decrease console log verbosity.
• Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only).
• Change to GPT based partitions.
• Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/.
• Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf.
• Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins.