VMware Carbon Black EDR Server 7.6.1 | 23 DEC 2021 | Build 7.6.1.211222 Check for additions and updates to these release notes. |
VMware Carbon Black EDR 7.6.1 is a maintenance release of the VMware Carbon Black EDR (formerly CB Response) server and console. This release delivers the upgrade of Apache Log4J to 2.17.0, which implements the official mitigations for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
See the Third Party Updates section for more details.
Components Included in this Release
Each release of VMware Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.
This document supplements other Carbon Black documentation. Supplemental release documentation can be found in the Carbon Black EDR section of docs.vmware.com.
In addition to this document, you should have access to the following key documentation for VMware Carbon Black EDR Server 7.6.1:
This section describes the requirements and key information that is needed before installing a VMware Carbon Black EDR server. All on-premises users, whether upgrading or installing a new server, should review this section before proceeding. See the appropriate section of the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide for specific installation instructions for your situation:
Customers on Server 5.x, please note:
Direct upgrades from Server 5.x to Server 7.x are not supported. See the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide and this VMware Carbon Black User Exchange announcement for more information.
VMware Carbon Black EDR Server software packages are maintained at the Carbon Black yum repository (yum.distro.carbonblack.io). The links will not work until the on-prem General Availability (GA) date.
The following links use variables to make sure you install the correct version of VMware Carbon Black EDR, based on your machine’s operating system version and architecture.
Use caution when pointing to the yum repository. Different versions of the product are available on different branches, as follows:
baseurl= https://yum.distro.carbonblack.io/enterprise/7.6.1-1/$releasever/$basearch
This link is available as long as this specific release is available. It can be used even after later versions have been released, and it can be useful if you want to add servers to your environment while maintaining the same version.
baseurl= https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
This URL will point to version 7.6.1-1 until a newer release becomes available, at which time it will automatically point to the newer release.
Note:
Communication with this repository is over HTTPS and requires appropriate SSL keys and certificates. During the VMware Carbon Black EDR server install or upgrade process, other core CentOS packages can be installed to meet various dependencies. The standard mode of operation for the yum package manager in CentOS is to first retrieve a list of available mirror servers from http://mirror.centos.org:80, and then select a mirror from which to download the dependency packages. If a VMware Carbon Black EDR server is installed behind a firewall, local network and system administrators must make sure that the host machine can communicate with standard CentOS yum repositories.
Operating system support for the server and sensors is listed here for your convenience. The VMware Carbon Black EDR 7.6 Operating Environment Requirements document describes the full hardware and software platform requirements for the VMware Carbon Black EDR server and provides the current requirements and recommendations for systems that are running the sensor.
Both upgrading and new customers must meet all of the requirements specified here and in the VMware Carbon Black EDR 7.6 Operating Environment Requirements document before proceeding.
Server / Console Operating Systems
For best performance, Carbon Black recommends running the latest supported software versions:
Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.
However, if the customers are pinning dependencies to a specific OS version, the product only supports the following software versions for the Carbon Black EDR Server and Unified View:
Note: Versions 7.3, 7.4, and 8.1 (64-bit) of CentOS/RHEL are not supported if customers are pinning dependencies.
Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.
Sensor Operating Systems (for Endpoints and Servers)
For the current list of supported operating systems for VMware Carbon Black EDR sensors, see https://community.carbonblack.com/docs/DOC-7991.
Note: Non-RHEL/CentOS distributions or modified RHEL/CentOS environments (those built on the RHEL platform) are not supported.
VMware Carbon Black EDR 7.6.1 comes with updated sensor versions. Servers and sensors can be upgraded independently, and sensors can be upgraded by sensor groups.
Decide whether you want the new sensor to be deployed immediately to existing sensor installations, or install only the server updates first. Carbon Black recommends a gradual upgrade of sensors to avoid network and server performance impact. We strongly recommend that you review your sensor group upgrade policies before upgrading your server, to avoid inadvertently upgrading all sensors at the same time. For detailed information on Sensor Group Upgrade Policy, see the Sensor Group section of the VMware Carbon Black EDR 7.6 User Guide.
To configure the deployment of new sensors by using the VMware Carbon Black EDR web console, follow the instructions in the VMware Carbon Black EDR 7.6 Sensor Installation Guide.
Apache Log4J: 2.13.0 → 2.17.0
CB-33355: In some cases, a process Watchlist will produce more hits than alerts
When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.
CB-37654: Query Requires Double Quotation Marks
In Server 7.6.0, on the Process Search page, a process query built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] only returns the proper results if the user encloses the query in double quotation marks (““ ””).
CB-33586: Red dot does not display
In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.
CB-35139: Binary Search searches sometimes return zero results
In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.
CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID
In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID
CB-35148: Process information not properly returned
In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.
CB-35335: A user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page
In Server 7.5.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.
CB-35668: In the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered to save
In Server 7.5.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.
CB-35676: Searching for a range of IP addresses on the Search Threat Reports page is broken
In Server 7.5.0, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) is broken. The query attempt will repeat indefinitely but never successfully complete until the user forces it to stop or closes the browser.
CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled
This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).
Use RHEL/CentOS 7 if you enable FIPS 140-2.
CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account
Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.
CB-24519: Older files did not get SHA-256 values
After an upgrade of server and sensor, older files did not get SHA-256 values. When an older file is executed, it creates a process event that contains SHA-256. When a user clicks the link, the binary store shows no SHA-256.
CB-20565: Cannot enable or disable Alliance Sharing
When using a custom email server, you cannot enable or disable Alliance Sharing.
Disable the custom email server, make the change, and re-enable the custom email server.
CB-18936: Malformed CSV Export
The CSV export of the user activity audit is malformed in certain cases.
CB-18927: The CSV export of Recently Observed Hosts has no header row.
CB-37282: Large Scripts Can be Reported Incorrectly
Large (>64KB) scripts in the Windows Sensor 7.2.0+ can be reported incorrectly, which causes corrupted fileless_scriptload_cmdline data to be sent to the Carbon Black EDR Server. The bug fix is targeted for inclusion in Windows Sensor 7.3.0. As a result, the Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content. In this case, the corrupted content is replaced with the error message: “<Corrupt command line data found>”.
VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
Reporting Problems
When contacting Carbon Black Technical Support, provide the following required information:
Note: Before performing an upgrade, Carbon Black recommends you review the related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.