While off on annual leave recently I had a few minutes to spare to look through twitter and came across a tweet from Adam J Bergh (@ajbergh) about a remote code execution vulnerability in Cisco UCS Central. You can read more about the threat over on threatpost.com but the synopsis is that “an exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user”. UCS Central version 1.2 and earlier are affected by this so it’s time to upgrade. Particularly since the vulnerability score is at the highest severity of 10. So before I go on I want to thank Adam for his tweet and highlighting the issue in the first place.
There are different steps to perform during the upgrade depending of whether UCS Central is in standalone mode or is part of a cluster. You can find more information about both methods over on the UCS Central Install and Upgrade Guide. Some of the key things to keep in mind are the supported upgrade paths and the pre-requisites before beginning the upgrade.
- UCS Central 1.3 requires a minimum of 12Gb RAM and 40GB storage space (otherwise the upgrade will fail)
- Use the ISO image for an upgrade to UCS Central
- After the upgrade clear the browser cache before logging into the Cisco UCS Central GUI
- Make sure UCS Manager is 2.1(2) or newer
- Make sure to take a full state backup before starting the Upgrade Process
- From 1.1(2a) to 1.3(1a)
- From 1.2 to 1.3(1a)
Note: I’m running version 1.1(2a)
Some of the new features in version 1.3 include:
- HTML5 UI: New task based HTML5 user interface.
- KVM Hypervisor Support: Ability to install Cisco UCS Central in KVM Hypervisor
- Scheduled backup: Ability to schedule domain backup time. Provides you flexibility to schedule different backup times for different domain groups.
- Domain specific ID pools: The domain specific ID pools are now available to global service profiles.
- NFS shared storage: Support for NFS instead of RDM for the shared storage is required for Cisco UCS Central cluster installation for high availability.
- vLAN consumption for Local Service Profiles: Ability to push vLANs to the UCS Manager instance through Cisco UCS Central CLI only without having to deploy a service profile that pulls the vLANs.
- Support for Cisco M-Series Servers.
- Connecting to SQL server that uses dynamic port.
- Support for SQL 2014 database and Oracle 12c Database.
I’m really looking forward to seeing what the new HTML 5 UI is like. The initial screenshots I’ve seen are awesome. There’s a nice little introduction from Cisco over on their support site. Also, Jacob Van Ewyk has written a really informative article over on Cisco Communities with details about the UCS Central User Interface Reworked with UCS Central 1.3.
Step 1. – Download software:
So the first thing to do is to download UCS Central version 1.3 and log in with your Cisco ID. In most cases you’ll need the ISO to do the upgrade as you’ll already have UCS Central installed and will be looking for an upgrade. Select Cisco UCS Central ISO Installer and click Download.
Click Accept License Agreement
Download will begin
Step 2. – Take a full state backup:
Go to UCS Central and log in using your administrator account. This is most likely the same as your UCS Manager login.
Go to Operations Management -> Backup and Import -> UCS Central and click on Create System Backup
You can take a remote backup
Or a local backup. If you take the local backup you’ll need to later Download the file to your local system
As I’m a bit of a stickler for making sure I have a get out of jail card to play I also ran a Tech Support Files creation and downloaded it locally to have, just in case I ever need it.
Step 3 – Upgrade Process:
Attach the downloaded ISO to your instance of UCS Central.
Reboot the UCS Central VM and on reboot select Upgrade existing Cisco UCS Central
The install process will begin
After a few minutes you’ll be requested to reboot the appliance
Next you can access the normal console by using the existing link from before the upgrade. This will show that the version is indeed 1.3. you can also click on Switch to Next Generation User Interface. The legacy UI will look pretty much the same as the previous versions of UCS Central.
The real difference is in the HTML 5 Interface which can be accessed by using the URL https://<UCSCentralName>/ui.
HTML 5 Interface Overview:
When you initially launch and log into the new interface you’ll be greeted by a message to advise of a brief tour to get a better understanding of the interface. The menu is completely different in the HTML 5 version than the legacy browser version. Click Next to work your way through the tour.
Once the tour is completed you can then have a bit of a play around with the new menu and how it works and get a feel for how you can be use it. The first thing I went to was the Domains from the Drop-down menu.
One view I found interested and is a great one to who your manager is the ID universe which quickly shows the current status of the various pools and address ranges.
Another really sweet feature in the new interface is the inclusion of information on how to define policies. All Policies from the menu shows this, if you have any globally related policies they will appear here.
To get information about a specific domain I went for the tree-structure menu and selected one site. From there I selected Servers which opened the details about all the servers in a new tab. The break-out of the information in the new interface is really nice and something I’m looking forward to playing around with a bit more.
You can then click on each server to drill down further to get more information.
In the drop down menu in the top right corner you have the ability to modify the power settings or toggle the LED locator of the server
In the second menu icon, the arrow, you can launch a KVM connection to the server or launch the UCS Manager for the domain
As mentioned earlier the menus are very different to the previous interface so things like firmware, backup, licenses etc are now contained within the toolbox icon at the top of the page.
With the new backups you are provided with the steps to create backups of both the UCS domains and UCS Central. It’s a really handy bit of information and a nice touch.
You can then access any alarm, fault, event or log information from the bell icon.
I think the new interface is really well designed and Cisco have made a massive jump ahead in their interface accessibility. I’ll be spending the next few days playing around with the backups and seeing what else it can surprise me with. It’s funny as I had no intention of upgrading and hadn’t even heard of the new release until I saw the tweet by Adam. So now I’ve a nice swish new management console and the security vulnerability is also taken care of. If only all security vulnerability fixes has such a nice outcome! I’m delighted to have upgraded and if you get a quick few minutes to spare I’d recommend doing the same. Enjoy!