[BESAdmin-Announcements] BigFix 11.0 - the latest and greatest BigFix platform release - available now!

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Mon Jul 17 13:48:53 PDT 2023

The BigFix Team is pleased to announce the release of BigFix Platform Version 11 (!!!

BigFix Platform 11 delivers three major changes in the security area by adding support for OpenSSL3, SHA384 and TLS 1.3. This releases also delivers new features, an updated list of supported platforms, and several upgraded libraries.

OpenSSL v3

BigFix Platform 11 uses OpenSSL v3 in all its components to ensure maximum protection of network traffic. More in detail, the version of the library is 3.1.1. Aside from the general benefits in the security area, the presence of OpenSSL v3 has the two following major consequences:

·         Any HTTPS communication in which at least one of the two parties is represented by a BigFix Platform 11 component must use TLS 1.2 as minimum protocol version

·         SHA1 is no longer used as hashing signature algorithm to validate TLS communication as well as all BigFix content and actions (SHA1 is still supported as hashing for file downloads)

For more details see the BigFix Platform V11 Overview Page<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_overview.html>

SHA384 support

BigFix 11 uses a stronger hash based on SHA384 as cryptographic digest algorithm for all digital signatures to validate TLS communication and all BigFix content and actions at every step. This change does not affect the hash used to verify downloaded files which can still be SHA1 or SHA256.

SHA256 hash signatures are still supported but you have also the option of enforcing usage of SHA384 only to comply with specific security requirements.

For more details see the BigFix Platform V11 Overview Page<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_overview.html>

TLS 1.3 support

BigFix Platform now supports TLS 1.3 for HTTPS communications among the BigFix components, maintains the support of TLS 1.2 and no longer supports TLS versions lower than 1.2.

By default, BigFix Platform 11 supports both TLS 1.2 and TLS 1.3, while – due to the upgrade to OpenSSL v3 – it does no longer support TLS 1.1 or below.

For more details see the BigFix Platform V11 Overview Page<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_overview.html>

New features:

Relay Drive Space Protection from Downloads

BigFix Platform adds the capability to prevent the BigFix Relay ActiveDownloads folder from filling up, by using a new setting named _BESRelay_Download_ActiveDownloadsMaxSizeMB, which represents the maximum size, specified in MB, that the folder can reach.
For details, see Managing Downloads<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Config/c_managing_downloads.html>

Perl Regular Expressions for non-Windows platforms support

The Perl Compatible Regular Expressions (PCRE) syntaxes, introduced with BigFix Platform 10.0.8 and available on the Windows client, are now also supported on several non-Windows platforms such as Debian, Mac, Raspbian, Red Hat, SUSE, Solaris Intel and Ubuntu.
For details, see regular expression<https://developer.bigfix.com/relevance/reference/regular-expression.html>

Plugin Portal - Optimized devices data serialization
Plugin Portal optimization in terms of memory usage of the plugin portal machine as well as in the evaluation time of fixlets and analyses, with this leading to an increased responsiveness in returning data and executing actions on discovered devices.

Other enhancements

New set of REST APIs

BigFix Platform 11.0 now supports a new set of Rest APIs that enable exploiters such as the BigFix WebUI to access the Download status of the actions. These Rest APIs allow also to re-submit failed downloads.
For details, see Action<https://developer.bigfix.com/rest-api/api/action.html>.

The BigFix Relay Version 11.0 adds support for:

  *   AIX 7.3
  *   Raspbian 11

Added support for new database levels
·         Microsoft SQL Server 2022
·         Microsoft SQL Server 2022 deployed in a docker container

For details, see Installing a server with remote database deployed in a docker container<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_remote_database_docker.html> and Database requirements<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_database_requirements.html>.

Note also that, on BigFix Platform 11.0:

Ø  The minimum supported SQL Server version is 2014 as Microsoft SQL Server 2012 is no longer supported

  *   DB2 is a prerequisite for the installation of the BigFix Server on RedHat Linux. DB2 is not distributed with BigFix 11.

For existing BigFix 9 and 10 customers with a DB2 entitlement, the entitlement remains.

For new customers on BigFix 11, a DB2 license must be acquired.
The BigFix team is considering adding, in the near term, the possibility to use Microsoft SQL Server for BigFix deployments on Linux.

For information about database requirements, see Installation requirements for DB2 database products<https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.qb.server.doc/doc/r0025127.html> and Database requirements<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_database_requirements.html> for information about the DB2 versions supported by BigFix

  *   The operating systems support matrix has been updated as well. In particular, for some platforms the minimum operating system version supported has changed. To see which operating system versions are supported, refer to the V11 system requirements page available at:

Defect Articles (DA), defect fixes and Serviceability enhancements

Several libraires are upgraded to a newer version:

V11 Library Version
Version 3.6.4
Version 8.1.2
Microsoft Visual C++ Redistributable library
Version 2019
Version 3.1.1
Version 2.6.4
Version 3.41.2
Version 1.2.13
Version 1.44.165
Azure SDK
Version 1.0.0 (with azidentity v1.2.0)
Version 0.105.0
Version 0.30.0

Additional information about this release

·         The standalone BigFix tools are published under the 11.0 Utilities<https://support.bigfix.com/bes/release/> section in BigFix Enterprise Suite Download Center

·         A Non-Functional Requirements checklist, covering both performance and security management of your BigFix deployment, is available at BigFix Performance & Capacity Planning Resources<https://bigfix-mark.github.io/>

·         See the full technical changelist<https://support.bigfix.com/bes/changes/fullchangelist-110.txt>
Pre-Upgrade Important Considerations

  *   BigFix Version 10.0.7 is the minimum version supporting the upgrade of the BigFix server components to Version 11. For details, see Upgrade paths (Windows)<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_upgrading1.html> and Upgrade paths (Linux)<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_upgrading1_linux.html>.
  *   You must enable the “Enhanced Security” before upgrading BigFix Platform to Version 11
  *   The minimum TLS supported protocol in BigFix V11 is TLS 1.2
  *   The SHA1 hashing algorithm for content and action signature will no longer be supported. SHA1 is still supported for file download in actionscript. For details, see the BigFix Platform V11 Overview Page<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_overview.html>
  *   The unixODBC RPM package is a prerequisite for the Server components on Linux systems (see Server Requirements<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_bigfix_server.html>).
  *   For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 11, see Detailed system requirements<https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104120>.
  *   Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as WebReports, WebUI, BigFix Inventory, or BigFix Compliance).
Useful links
·         BigFix downloads and release information<https://support.bigfix.com/bes/release/>
·         BigFix 11 Platform Documentation<https://help.hcltechsw.com/bigfix/11.0/platform/welcome/BigFix_Platform_welcome.html>
·         Upgrade Windows considerations<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_upgrading1.html>
·         Upgrade Linux considerations<https://help.hcltechsw.com/bigfix/11.0/platform/Platform/Installation/c_upgrading1_linux.html>
·         Detailed system requirements<https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104120>

A blog that discusses the benefits of BigFix 11 is available here<https://bigfix-mark.github.io/Blogs/BigFix%2011%20Improvements%20v1.pdf>

Upgrade Fixlets are available in BES Support version 1482 (or later).

Continue discussing at BigFix 11.0 - the latest and greatest BigFix release - available now! - Release Announcements / Platform (Release Announcements) - BigFix Forum<https://forum.bigfix.com/t/bigfix-11-0-the-latest-and-greatest-bigfix-release-available-now/45676>

​​​​​​​– HCL BigFix – Platform Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20230717/70b704a3/attachment.html>

More information about the Besadmin-announcements mailing list