Versions Compared

Version Old Version 2 New Version 3
Changes made by

Matthew Webb

Matthew Webb

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

roblemProblem:



Two vulnerabilities have been discovered in the QNX operating system images distributed by Tridium.
The first vulnerability is related to a vulnerability that could allow a less privileged process to gain read access to privileged files.
The second is related to a vulnerability in the QNX procfs service that could allow a less privileged process to gain access to a chosen process's address space.
 
The following supported platforms are impacted: 

  • Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000)
  • Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000)
  • Niagara 4.7u1 (JACE-8000, Edge 10)

 
 
NOTE: Niagara Windows and Linux Supervisor installations are not impacted.
 
We have updated the QNX OS images to remove the vulnerability, please click for recommendations to update to the versions listed here:




Solution:

Installing the most recent builds of Niagara will prevent the Host ID from changing.

These builds are:

  • Niagara 3.8 Update 2 (3.8.213 and later)
  • Niagara 4.3 (and later)
  • Enterprise Security 2.3 Update 1 (2.3.118 and later which is based on Niagara 3.8.213)

Updating older versions of Niagara

Tridium always recommends that Niagara installations are upgraded to the latest released software in order to maintain the latest
security protection and to gain benefit from latest features.
Tridium has created patch files to stabilize the Host ID for cases where customers have not upgraded to the latest version of Niagara
(see installation instructions below). Once these patches are applied to the older versions of Workbench the Host ID is stabilized and
should not change if Windows updates are installed.

IMPORTANT NOTES REGARDING THE PATCHES

  • Patches are only supported for the latest update version for the relevant release.
  • Patches are not available for AX 3.5 and earlier, or Niagara 4.0 or 4.1.
  • Builds prior to AX 3.8.213 are considered unsupported. Customers applying these patches do so at their own risk.
  • Newer versions of Niagara (3.8U2 and 4.3) have introduced a stabilized method of managing the Host ID and do not require
    any patch.
  • The patches do not eliminate the issue of different Host IDs generated when installing 32 bit and 64 bit Niagara.

Installation Instructions

Download and unzip the attached HOSTID_PATCHES.zip into a temporary folder. The archive contains 'nre.dll' for
various versions of Niagara AX and Niagara 4.2 in a directory structure identifying them first by Niagara version and sub-directory
identifying 64-bit or 32-bit Windows. The 4.2 folder also contains 'njre.dll' which will need to be copied only for 4.2 installations. Follow
these instructions:

  1. Verify the installed java version to be either 64 or 32 bit. Start a Niagara Command Line (<Niagara Home>/bin/console.exe)
    from the desktop of the platform to be patched.
  2. From the Niagara Command Line execute the command: nre -version One of the listed items will be java.vm.name. If the
    text contains “64-Bit” then the installation is 64 bit otherwise the installation is 32 bit.
  3. Stop any running station using Workbench's Platform Application Director on the platform to be patched.
  4. Exit Workbench if running on the platform to be patched.
  5. From the Niagara Command Line (<Niagara Home>/bin/console.exe execute the command: plat uninstalldaemon
  6. Make a copy of the existing nre.dll located in <Niagara Home>/bin folder. If Niagara 4.2 is being updated also make a copy of
    njre.dll located in <Niagara Home>/bin folder.
  7. Copy the version appropriate and OS appropriate (64 or 32 bit) downloaded version of nre.dll file to the <Niagara
    Home>/bin folder. If Niagara 4.2 also copy njre.dll to <Niagara Home>/bin folder. Overwrite the existing file(s).
  8. From the Niagara Command Line (<Niagara Home>/bin/console.exe) execute: plat installdaemon
  9. Start Workbench.
  10. Open a platform connection to the patched platform.
  11. Using the Application Director, start the station.

View filenameHostID_Patches.zipheight250the patched files for the affected versions will remedy the issue. 

Installation Instructions

Archive file ‘Qnx Patches for HAREMB-1220 and 1221.zip’ contains folders for Niagara Ax 3.8 update 4 (r38), Niagara 4.4 update 3 (r44) and, Niagara 4.7 update 1 (r47).


  1. Unzip the zip archive into a temporary working folder.
  2. Make sure you have the corresponding version of Niagara Workbench installed.
  3. Copy the dist files from the folder (r38, r44 or r47) for that release into:
    1. <niagara_user_home> \ sw \ inbox 


Note: <niagara_user_home> in N4 is your windows profile user folder \ Niagara4.x \<brandId> 

Example:

C:\users\myUserName\Niagara4.7\tridium\sw\inbox


Note: In Ax the niagara_user_home is the location where you installed.

Example:

C:\Niagara\Niagara-3.8.401\sw\inbox


  1. Restart the version of Workbench you are updating.
  2. Connect to the platform of the device
  3. Open the Software Manager
  4. Observe the files are no longer in the inbox of the user home
  5. Commission the device using the “Commissioning Wizard”
    1. Make sure the “install/upgrade core software from distribution files” box is checked
    2. Confirm the version number of the dists being installed
ProductQNX Patches
Niagara AX 3.8u4OS Dist: 2.7.402.2
NRE Config Dist: 3.8.401.1
Niagara 4.4u3

OS Dist: 4.4.73.38.1

NRE Config Dist: 4.4.94.14.1

Niagara 4.7u1

OS Dist: (JACE 8000) 4.7.109.16.1
OS Dist (Edge 10): 4.7.109.18.1

NRE Config Dist: 4.7.110.32.1