Loading...

Knowledge Center


Threat Intelligence Exchange Server 2.x Known Issues
Technical Articles ID:   KB85172
Last Modified:  9/10/2019
Rated:


Environment

McAfee Threat Intelligence Exchange (TIE) Server 2.x

Summary

Recent updates to this article
Date Update
September 10, 2019 Added General Availability information for TIE 2.3.1 Hotfix 2.
References added:
TIESERVER-6766, TIESERVER-6767, TIESERVER-6768, TIESERVER-6769, TIESERVER-6724, TIESERVER-6723, TIESERVER-6722 and TIESERVER-7247.
April 23, 2019 Added General Availability information for TIE 2.2.0 Hotfix 1.
Added references: 1246409, 1242257, 1237680, 1231412, 1250106, and 1251698.
April 16, 2019 Added General Availability information for TIE 2.3.1 Hotfix 1.
Added references: 1270184, 1270670, 1258321, and 1264004.
February 12, 2019 Added General Availability information for TIE 2.3.1.
Updated references that were previously resolved by TIE 2.3.0 Hotfix 1, but are now resolved by TIE Server 2.3.1: 1262122, 1262366, 1262895,1259727, 1266187, 1252977, 1255210, and 1265946.
December 26, 2018 Added TIE 2.3.0 Hotfix 1 (Released to Support) to the release table.
  • Updated reference: 1262122
  • Added references: 1262366, 1262895 and 1259727

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Product release information
Version Release date Release
Notes
TIE Server 2.3.1 Hotfix 2 (GA) September 10, 2019 PD28501
TIE Server 2.3.1 Hotfix 1 (GA) April 9, 2019 PD28314
TIE Server 2.3.1 (GA) February 12, 2019 PD28166
     
TIE Server 2.3.0 Hotfix 1 (RTS)1 December 20, 2018 -
TIE Server 2.3.0 (GA) September 25, 2018 PD27911
     
TIE Server 2.2.0 Hotfix 1 (GA) April 23, 2019 PD28328
TIE Server 2.2.0 (GA) May 8, 2018 PD27561
     
TIE Server 2.1.1 Hotfix 3 (GA) March 14, 2018 PD27606
TIE Server 2.1.1 Hotfix 2 (GA) March 1, 2018 PD27520
TIE Server 2.1.1 Hotfix 1 (GA) December 12, 2017 PD27412
TIE Server 2.1.1 (GA) December 4, 2017 PD27352
     
TIE Server 2.1.0 Hotfix 3 (GA) September 28, 2017 PD27319
TIE Server 2.1.0 Hotfix 2 (GA) September 6, 2017 PD27242
TIE Server 2.1.0 Hotfix 1 (GA) August 23, 2017 PD27199
TIE Server 2.1.0 (GA) June 27, 2017 PD27075
     
TIE Server 2.0.1 (GA) January 25, 2017 PD26865
     
TIE Server 2.0.0 (GA) October 3, 2016 PD26039
 
1
McAfee investigated this issue and a solution is currently available. This solution is currently not generally available, but is in Released to Support (RTS) status. To obtain the RTS build, log on to the ServicePortal and create a Service Request (https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR). Include this article number in the Problem Description field.

See KB51560 for detailed information on release cycles.

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.

 
Contents
Click to expand the section you want to view:

 
Reference
Number
Related
Article
Found
Version
Resolved
Version
Issue Description
TIESERVER-6724 TIESERVER-6723 TIESERVER-6722 SB10287 2.3.1 2.3.1 Hotfix 2 Issue: Linux kernel TCP Sad SACK vulnerability (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). For more information, see the article in the Related Article column.
TIESERVER-6766
TIESERVER-6767 TIESERVER-6768
TIESERVER-6769
SB10292 2.3.1 2.3.1 Hotfix 2 Issue: Intel "ZombieLoad" microprocessor data leakage flaws vulnerability (CVE-2019-11091, CVE-2018-12127, CVE-2018-12130 and CVE-2018-12126). For more information, see the article in the Related Article column.
1246409
TIESERVER-7247
SB10253 2.2.0 2.2.0 Hotfix 1
2.3.1 Hotfix 2
Issue: A unique SSH host key is not being created for each instance of TIE Server. SSH host keys generation vulnerability (CVE-2018-6695). For more information, see the article mentioned in the Related Article column.
1242257 SB10253 2.2.0 2.2.0 Hotfix 1
2.3.1 Hotfix 2
Issue: DHCP client vulnerability (CVE-2018-5732). For more information, see the article mentioned in the Related Article column.
1237680 SB10238 2.2.0 2.2.0 Hotfix 1 Issue: Network Time Protocol (NTP) service vulnerability (CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185, CVE-2018-5732, and CVE-2018-5733. For more information, see the article mentioned in the Related Article column.
1231412 SB10238 2.2.0 2.2.0 Hotfix 1 Issue: UDP Source Port Pass Firewall vulnerability. For more information, see the article mentioned in the Related Article column.
1250106
1251698
SB10249 2.2.0 2.2.0 Hotfix 1 Issue: Linux kernel vulnerability “SegmentSmack” (CVE-2018-5390) and the L1 Terminal Fault: OS/SMM vulnerability (CVE-2018-3620). For more information, see the article mentioned in the Related Article column. 
1258321
1264004
SB10272
SB10258
2.3.0
2.2.0
2.3.1 Hotfix 1
2.2.0 Hotfix 1
Issue: CVE-2019-3598 and CVE-2018-6703 regarding vulnerabilities with McAfee Agent. For more information, see the article mentioned in the Related Article column.
1270184 SB10279 2.0.1
2.2.0
2.3.1 Hotfix 1
2.2.0 Hotfix 1
Issue: CVE-2019-3612 regarding an information disclosure vulnerability. For more information, see the article mentioned in the Related Article column.
1270670 - 2.3.0
2.2.0
2.3.1 Hotfix 1
2.2.0 Hotfix 1
Issue: CVE-2019-1559 regarding vulnerability with OpenSSL 1.0.2-1.0.2q.

Resolution: The OpenSSL library is updated to 1.0.2r. 
1265946 - 2.3.0 2.3.1 Issue: (CVE-2018-5391) The Linux kernel, version 3.9 and later, is vulnerable to a denial-of-service attack with low rates of specially modified packets targeting IP fragment reassembly. An attacker can cause a denial-of-service condition by sending specially crafted IP fragments. Many vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability, CVE-2018-5391, became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.

Resolution: Linux kernel parameters are updated to mitigate a remote DoS attack known as FragmentSmack.
1252977
1255210
- 2.3.0 2.3.1 Issue: (CVE-2018-15473 and CVE-2018-15919) OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

Resolution: OpenSSH updated to 7.4p1-17 solves user enumeration/oracle attacks and includes a configuration change to disable GSSAPI Authentication.
1262366
1266187
- 2.3.0 2.3.1 Issue:  (CVE-2018-5407, CVE-2018-0734, and CVE-2018-0732) A vulnerability has been disclosed for OpenSSL that allows using Cache-like Attacks (CATs) to perform a downgrade attack against any TLS connection to a vulnerable server. It uses a BEAST-like Man in the Browser attack.

Resolution: 
NOTE: 
This issue was previously resolved by TIE Server 2.3.0 Hotfix 1, which was only Released to Support.
1262122 KB91145 2.3.0 2.3.1 Issue: TIE Server 2.3.0 introduced a new version of log rotation that silently fails to parse the log rotation configuration files. As a result, the tieserver-start.log can exhaust the root partition storage space.

Resolution:
NOTE: 
This issue was previously resolved by TIE Server 2.3.0 Hotfix 1, which was only Released to Support.

Reference
Number
Related
Article
Found
Version
Resolved
Version
Issue Description
1262895 - 2.2.0 2.3.1 Issue: The TIE Server Topology Management page reports a Database and Storage health check error when the query that checks the size of the biggest table is executed while the table is vacuumed.

Resolution: 
NOTE: 
This issue was previously resolved by TIE Server 2.3.0 Hotfix 1, which was only Released to Support.
1259727 KB91106 - 2.3.1 Issue: Deletion of MAR custom collector fails with the error "Cannot delete the requested Collectors" when the MAR server is active in a TIE Server secondary or reporting secondary appliance.

Resolution: 
NOTE: 
This issue was previously resolved by TIE Server 2.3.0 Hotfix 1, which was only Released to Support.
1236478 - 2.2.0 2.3.0 Issue: The following error displays when you try to use the ePO System Tree to view which certificate is being used by specific agents:
 
An unexpected error occurred.
 
Errors similar to the following are recorded in the Orion.log:
 
Exception thrown by ActionBean: java.lang.
ClassCastException: com.mcafee.tie.server.
ext.data.datasource.TieFirstRefDataSourceImpl
Cannot be cast to com.mcafee.tie.server.ext.
data.datasource. TieReputationSubjectDataSource

Workaround: View the data on the TIE Reputations page:
  1. Open the TIE Reputations page.
  2. Select the certificate.
  3. Select the Where Was Certificate Used action. The data displays without error.
1190547 - 2.1.0 2.3.0 Issue: The TIE Server Infrastructure dashboard displays an empty entry in the DXL Broker monitor when the DXL appliance is used.

Workaround: A new dashboard can include a duplicated and updated query, which does not include blank entries.
1243473  - 2.2.0 2.3.0 Issue: [Extension] Save option is unexpectedly enabled on the Sandboxing tab even when required fields are empty. When clicked, no change is made and no error is thrown. The screen becomes unresponsive with a loading sprite.
1232956 - 2.2.0 2.3.0 Issue: [Extension] Incorrect number of listed files when redirected from the TIE Server Files dashboard.
1240132 - 2.2.0 2.3.0 Issue: [Extension] The following error is shown when running a show Details action in ePO Threat Events, with an Event ID 1027 Malware Detected:
"An unexpected error occurred" 
1240824 - 2.2.0 2.3.0 Issue: [Extension] Users with read-only permissions cannot see Server Settings on the topology page.
1233311 - 2.2.0 2.3.0 Issue: [Extension] The 'Latest Applied Rule' value in an exported TIE Reputation Table report is not the value that is displayed in TIE Reputation section.
1242100 - 2.2.0 2.3.0 Issue: [Server] Installation fails when using a TIE Server ISO file onto either Xen 6.5 or Xen 7.2. Although the installer runs, the console is blank after a system restart.
1240281 - 2.2.0 2.3.0 Issue: [Database] Remote writing is not disabled during a Primary TIE Server upgrade.
1216979 - 2.1.0 2.2.0 Issue: On the File Details, Additional information tab, the property “File Type Matches Extension” value is reversed.
1221868 - 2.1.1 2.1.1
Hotfix 3
Issue: High CPU usage occurs on the TIE Server appliance in environments with multiple endpoints that have a significant number of unique files.

Workaround: Update to TIE 2.1.1 Hotfix 3.
1192947 - 2.1.0 2.1.1 Issue: Errors occur when the reconfig-cert script runs.

Workaround: No workaround is required. These errors do not affect the certificate reconfiguration functionality, only the logging.
1213536 - 2.1.0 2.1.1 Issue: When a submission to McAfee CTD fails because of a connection timeout, temporary files related to this submission are never deleted from the appliance in the /data/tieserver/tmp directory.

Workaround: To remove the discarded files from disk, use the following command:
 
for tmp in /data/tieserver/tmp/*; do rm -fr "$tmp"; done
1193094 - 2.0.x 2.1.1 Issue: Promoting a TIE Server from one operation mode to a new mode fails.

Cause: The PostgreSQL (DB engine) is abnormally closed before the Promotion process completes.
1212584 - 2.1.0 2.1.0
Hotfix 3
Issue: Files that do not match the sandboxing submission criteria are not always removed from the TIE Server appliance.

Workaround: To remove the discarded files from disk, use the following command:
 
for tmp in /data/tieserver/tmp/*; do rm -fr "$tmp"; done
1209091 - 2.1.0 Hotfix 1 2.1.0
Hotfix 2
Issue: An upgrade to TIE 2.1.0 Hotfix 1 fails for Reputation Cache servers.

Workaround: After you upgrade the rest of the servers, deploy a new TIE Server with 2.1.0 Hotfix 1, and assign the Reputation Cache operation mode to it.

Remove the old TIE Server that has the 2.1.0 Reputation Cache.
1193463 - 2.1.0 2.1.0
Hotfix 2
Issue: After an upgrade to TIE 2.1.0, the Cloud Threat Detection (CTD) policy is enabled by default in a non-default TIE policy.

Workaround: Manually disable the CTD integration on the custom policy definitions, if any.
1161086 - 1.3.0,
2.0.0
2.1.0 Issue: Drilling down to the information in TIE Reputation times out when a hash has a large number, such as thousands, of different file names.

Cause: The size of the DXL message with the hash information is larger than the default upper limit.

There could also be another scenario of the same hash being renamed and re-executed under different paths.
-   1.3.0,
2.0.0
2.1.0 Issue: Incorrect ownership in an NTP folder does not allow the drifting mechanism to work. Failure generates an error in the daemon.log file.

Cause: The folder for the NTP drift file has an incorrectly configured owner.

Workaround: Change the owner of the folder by executing the following command:

$ chown ntp.ntp /var/ntp

1167449   2.0.0 2.0.1 Issue: Duplicate entries exist in a multiple ePolicy Orchestrator (ePO) shared topology after reusing a host name.

Cause: Policy exchange between the ePO server causes confusing information to merge when host names are reused.

Workaround: Force policy repopulation from scratch by restarting the ePO services:
  1. Press Windows+R, type services.msc, and click OK.
  2. Restart the following services:

    McAfee ePolicy Orchestrator x.x.x Application Server
    McAfee ePolicy Orchestrator x.x.x Server
1162363 KB88031 2.0.0 2.0.1 Issue: Initial McAfee Agent (MA) configuration fails if ePO certificates are not valid.

Cause: MA provisioning steps try to retrieve and validate ePO certificates, resulting in Failed to get ePO FIPS mode errors.
- - 2.0.0 2.0.1 Issue: Reputation response latency is impacted under load when running the DXL broker inside the TIE appliance.

Cause: The loopback interface is not optimized for low latency messaging by default.

Workaround: Change the current MTU for loopback using the command:
 
ifconfig lo mtu 1500

Append MTU=1500 to the end of /etc/sysconfig/network-scripts/ifcfg-lo to persist the optimization.
1155785   2.0.0 2.0.1 Issue: An error is recorded in the PostgreSQL logs when starting the TIE Server service. The error line is similar to the following:

no pg_hba.conf entry for host "[local]", user "mfetie", database "postgres", SSL off

The PostgreSQL logs are located in /var/McAfee/tieserver/logs, and the log file name is postgresql.log.

Cause: This issue occurs with the latest version of PostgreSQL used in the TIE Server, which includes some initialization checks. As part of database security hardening, the PostgreSQL default database was removed and connections are restricted to the TIE database only.

Workaround: No workaround is needed. This error does not impact TIE Server operation and can be safely ignored.
1160445   2.0.0 2.0.1 Issue: After you upgrade from TIE Server 1.2.1, the following symptoms are observed in the ePO System Tree:
  • TIE Server version appears updated
  • DXL Client version is not refreshed accordingly
  • DXL Connectivity status shows Disconnected
  • DXL Lookup times out
Cause: After the upgrade from TIE Server 1.2.1 completes, the TIE Server is unable to start because PostgreSQL does not start. PostgreSQL does not start due to missing certificates because the Certificate Handshake is not running. Because TIE Server is not actually running, neither is the DXL client; the connectivity check and lookup fail.

Workaround: After the upgrade is complete in the TIE Server appliance, run the reconfig-cert command as root to force the Certificate Handshake process.
- - 2.3.0 n/a Issue: Unattended deployment does not allow multiple DNS servers. Only one preferred DNS server can be configured in the Server Deployment extension.

Workaround: Deploy using a single DNS server and after deployment, add alternative DNS servers through the reconfig-network script.
1205248 - 2.1.0 n./a Issue: An error displays when you select some custom filters and the "Enterprise Reputation" column. Neither of the "Composite Reputation" columns display.

Resolution: Add the Composite Reputation column.
- - 1.3.0 n/a Issue: When you try to register a TIE Server database with a host name or fully qualified domain name, the following error message displays while you perform a test connection:
 
Test failed: com.mcafee.orion.core.db.base.DatabaseConnectivityException: Failed to get a connection: The connection attempt failed.. Navigate to https://8443/core/config and verify database connection settings
 
Workaround: Use the TIE Server IP address instead of the host name or fully qualified domain name.

In TIE 1.3.0, it is not possible to use the host name or fully qualified domain name when you register a TIE Server database. This limitation is because of the changes implemented in authenticated database connections with certificates signed by ePO.
- KB90844 2.3.0 n/a Issue: The TIE Server Deployment Extension page does not allow accented or double-byte characters in some fields.

Resolution: See the related article for details.
- KB86144 1.3.0 n/a Issue: When you try to upgrade TIE while having significant load on the TIE Server master, or writer, instance, the upgrade process fails. The installation log file located in /var/log/tieserver-*.log contains the following error:
 
ERROR: deadlock detected
 
Workaround: To avoid issues with resource locking, stop related TIE Server service instances and only start the database engine in the affected TIE Server master, or writer. After completing the TIE Server master upgrade, restart TIE Server slave instances and then complete their upgrade.

See the related article for details.
1122996 - 1.3.0 n/a Issue: After sorting is enabled on the TIE File Reputations tab, you cannot remove the filters by disabling the sorting.
1108473 - 1.2.1 n/a Issue: The TIE Reputation page shows missing File Name Reputation metadata.

Resolution: File name and other attributes are sent after execution and might be missing if still not prevalent.

Force attribute metadata submission by manually executing the file on an endpoint.
1054218   1.1.0 n/a Issue: Report and dashboard titles are not localized after you upgrade the TIE Server extensions to version 1.1 or later.

Workaround: Install a clean copy of TIE 1.1 or later extensions. This issue does not occur with a clean installation:
  1. Export custom TIE queries, policies, dashboards, and any others required.

    These items are deleted on uninstallation.
     
  2. Uninstall the TIE 1.1 or later extensions and then install a clean copy of TIE 1.1 or later extensions.
1046267 KB84162 1.1.0 n/a Issue: Performing consecutive TIE Server upgrades, without rebooting the appliance or restarting the MA service, fails with the following error and the MA service crashes. For example, if you do not reboot the appliance or restart the MA service after upgrading the TIE Server from version 1.0.0 to 1.0.1, the upgrade from version 1.0.1 to 1.1.0 will fail.
 
Pre Install
We're in pre-upgrade
Stop the service
Stopping McAfee TIE Server: .Error: %pre(tieserver-1.1.0-248.mlos2.x86_64) scriptlet failed, signal 15
Error: install: %pre scriplet failed (2), skipping tieserver-1.1.0-248.mlos2 "/var/log/tieserver-1.1.0-248.log" 21L, 1059C

Workaround: See the related article for details. To prevent the issue, after upgrading the TIE Server to version 1.0.1, reboot the appliance or restart the MA service before upgrading to TIE Server 1.1.0.
  • To restart the MA service, use the command:
     
    sudo service ma restart
     
  • To restart the appliance, use the command:
     
    sudo reboot
992120 - 1.1.0 n/a Issue: A Global Reviewer user cannot see the TIE Server queries; the TIE Server Reputations page is blank.

Resolution: Create a user and assign the TIE Reputation view as part of its permission sets.
1035058 - 1.0.1 n/a
Issue: An incorrect deployment status is displayed when upgrading the TIE Server by deploying the TIE Platform, TIE Server, or DXL Broker from the Product Deployment page. You might see either of the following incorrect statuses:
  • The deployment task displays the status as "Running" even though the TIE Server was upgraded properly. The status never changes to "Installed Successfully."
  • The deployment task displays the status as "Successful" almost instantly after creating the task even though the task has not completed.
Workaround: Create the deployment task from the Create Client Task page instead of the Product Deployment page.
1086567, 1085351 - 1.0.0 n/a Issue: A slow replication period between master and slaves might cause conflicts when handling the same file hash concurrently in different TIE Server instances.

Resolution: Wait until the replication succeeds and retry.
1086039   1.0.0 n/a Issue: The Certificate Search Tab table is not refreshed after an enterprise reputation is changed when running a master/slave configuration with delayed replication.

Workaround: Refresh the information by refreshing the page or querying the certificates.
1022264   1.0.0 n/a Issue: The TIE Reputations page in ePO occasionally shows the following message when searching for Files or Certificates:
 
Unable to communicate with Threat Intelligence Exchange server. Check status of the Tie Server, verify that ePO is authorized to Send 'Tie Service Operation' Topics and 'Tie Set Enterprise Reputation' Topics and verify that Tie Server is authorized to Receive the above Topics.

Explanation:
This error message likely occurs after the TIE Server is restarted, or if the appliance rebooted, but before the DXL Broker TTL has expired.

If you restart the TIE Server multiple times in quick succession, you can expect this error once for each server restart.

For example, if you restart the TIE Server three times in the span of an hour, expect this error message to occur three times, with the fourth search attempt succeeding.

If the Broker TTL has expired before a search is performed, this error does not occur.
989348   1.0.0 n/a
Issue: A user without a permission set assigned cannot configure MA in the TIE Server.
 
Workaround: A user with any permission set can configure MA in the TIE Server.


Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.