Release Notes

McAfee ePolicy Orchestrator 5.3.3

Contents About this release Enhancements Resolved issues Known issues Installation instructions Getting product information by email Find product documentation

About this releaseThis document contains important information about the current release. We recommend that you read thewhole document.

Release build — 5.3.3

Upgrade pathsAt the time of the current release, you can upgrade these versions to McAfee

®

ePolicy Orchestrator®

(McAfee®

ePO™

) 5.3.3:

• McAfee ePO 4.6.9 • McAfee ePO 5.1.3

• McAfee ePO 5.1.0 • McAfee ePO 5.3.1

• McAfee ePO 5.1.1 • McAfee ePO 5.3.2

• McAfee ePO 5.1.2

Upgraded componentsThe current release upgrades these components.

1

Component New version

Apache Http Server 2.4.26

Apache Tomcat 7.0.79

Java Runtime 1.8.0_144

OpenSSL 1.0.2k

Supported platforms

The current release is compatible with these platforms.

Operating System and Agent Handler Support

• Windows 2008 R2

• Windows Server 2012

• Windows Server 2012 R2

• Windows Server 2016

Database

• Microsoft SQL Server and SQL Express Edition 2008 SP1

• Microsoft SQL Server and SQL Express Edition 2008 R2

• Microsoft SQL Server and SQL Express Edition 2012

• Microsoft SQL Server and SQL Express Edition 2014

• Microsoft SQL Server and SQL Express Edition 2016

Browser Support

• IE 8.0 or Later (including full support for compatibility mode)

• Firefox 24.0 or later

• Chrome 30.0 or later

• Safari 7.0 or later

• Microsoft Edge (Spartan browser)

This version of McAfee ePO 5.3.3 requires enabling TLS 1.1 or 1.2 support on your browser.

EnhancementsThe current release of the product includes these enhancements.

Replaced Oracle Java SDK with AZUL JAVA SDK

The current release replaces the Oracle Java SDK with the AZUL Java SDK in McAfee ePO.

Removed SQL Express 2008 from McAfee ePO installer

The outdated version of SQL Express was removed from the installation package to speed up download andinstallation times. If you still want to use Microsoft SQL Express for evaluation purposes, you can download thelatest version from Microsoft.

2

Interface changes to Software Manager

This graphic shows the changes to the Software Manager interface.

Added License Key, Edit link — At the bottom of the Product Categories tree, next to License Key, click Editto navigate to the Edit License Key page. There you can edit and save your software license key.

The actions that previously appeared in the component description are moved to blue bar above thecomponent list table.

Interface changes to Master Repository

This graphic shows the changes to the Master Repository interface.

3

Added checkboxes — To change multiple packages at once, click the checkbox next to each package, thenselect an action from Actions.

Preset now filters based on Package Type instead of Repository Branch.

Added a Create Deployment Task action to the Actions list to create a Product Deployment project.

Added a Quick find filter — Above the Components list, you can type a string and click Apply to search forspecific packages in the list.

Interface changes to Product Deployment

This graphic shows the changes to the New Deployment interface.

4

Choose the type of deployment — These configuration settings were removed and the setting is nowconfigured automatically.

In Select your software, the + and – were replaced with the + Add another package link at the bottom of thesection.

In Select the systems, Select Individual Systems, and Select by Tag or Group to display options for selectingsystems.

5

Select Deployment was added and includes:• Auto Update — Previously part of Choose the type of deployment.

• Allow end users to postpone this deployment (Windows only) — Previously part of Select the systems.

• Maximum number of postponements allowed — Previously part of Select the systems.

• Option to postpone expires after (seconds) — Previously part of Select the systems.

• Display this text — Previously part of Select the systems.

Reworded option Select a start time to Start time.

Interface changes to Dashboards

This graphic shows the changes to the Dashboards interface.

A bell icon appears in the title bar, next to Log Off. A red icon indicates that software updates areavailable to download. By default, the icon is grey. Click the icon and the Software Manager page opens.Hover over the bell icon to show the software update status.

Database

Flattened the DB views — The current release has reduced the number of database tables.

Resolved issuesThe current release of the product resolved these issues. For a list of issues fixed in earlier releases, see theRelease Notes for the specific release.

6

Security fixes

• This release addresses an exploitable blind SQL injection vulnerability. (1178482)

• This release addresses a vulnerability to an XMLE External Entity attack vector. (1172163)

• This release incremented OpenSSL to 1.0.2k to address several vulnerabilities. See McAfee SB10197, ePolicyOrchestrator is vulnerable to Sweet32 vulnerability (CVE-2016-2183), for details. (1179805)

• This release addresses several cross-site scripting (XSS) vulnerabilities. (1164201, 1129029, 1176815,1164200, 1191816, 1146936)

• This release updates the RSA BSAFE libraries to mitigate several vulnerabilities. (1165495, 1143825, 1126375,1206799, 1156886)

• This release improves session security for REST APIs. (1192801)

• This release addresses a vulnerability to a clickjacking attack vector. For details, see McAfee ePO SustainingStatement SSC1605241. (1136306)

• This release addresses a vulnerability to a file upload attack vector. For details, see McAfee Security BulletinSB10196. (1192756)

• The sitemgr.xml file stored in the database is no longer unnecessarily written to the McAfee ePO installationdirectory. (1181918)

• This release updated the Apache Tomcat Server.xml file with more secure ciphers. (1082477, 1184229)

• This release signs files with an SHA-2 certificate. (1172676)

• In some browsers, credentials to push agent installations are stored in a server task that can be cached anddisplayed in plain text. This release fixes the issue so that the credentials are no longer displayed. (118936)

• McAfee ePO used Apache Http Server version 2.4.16. This release uses Apache Http Server version 2.4.25.(1192216)

• This release addresses the Windows Alternate Data Streams vulnerability. (1199165)

• Fixed SQL Injection in getByQuery implementation for Tag Selection workflow. (1199537)

• This release addresses several Apache Http Server vulnerabilities. (1203850)

• This release addresses a blind command injection vulnerability. (1204296)

• This release adds TLS 1.2 support for McAfee ePO outbound connections. (1177554)

Client and server tasks

• If any server task to synchronize shared policies between McAfee ePO servers failed to synchronize anypolicies on any one of the McAfee ePO server databases, then none of the servers could be reached. Nowsynchronization failure does not cause connection failures. (1164882)

• Server tasks configured to run client tasks on the results of a query are no longer marked as "failed" if thequery returned no results. (1190210)

Database

• Small queries running for long periods no longer fill the TempDB database in the SQL database, whichcaused data channel connection failures and other symptoms. (1194021)

• In the McAfee ePO database, many objects were created with QUOTED_IDENTIFIER set as OFF. Usually thiswas not a problem. Now all QUOTED_IDENTIFIER set as ON. (1190626)

7

Queries and reports

• An unexpected error occurred no longer appears when, running a query and the data appears, you select anydata row, and click Show Related Systems. (1168845)

• Queries run in the McAfee ePO console no longer hang and always return results. (1184150)

• When you run certain queries from the McAfee ePO console, the results are now returned successfully, asthey are when running the same query using the SQL database. (1147149, 1154903)

• A custom logo in the report header now scales correctly to the output page size. (1111758)

• In the Queries and Reports page, you no longer see the same group listed twice in the System Tree underMy Groups. (1161177)

Upgrades and installation

• After an upgrade to McAfee ePO 5.3.2, the Application Server Service (tomcat) no longer crashes whenreplicating to a UNC repository. (1183834, 1184383)

• Upgrades no longer fail after running the VerifyMFSSCoreStarted.cmd. (1149615)

User interface

• When you create a Simplified Deployment task using the Product Deployment page, and check the task StartDate, the correct date appears. (1178734)

• In the Tag Catalog Preview page, the option Reset X manually tagged and excluded systems is now grayed out if youcreate a Tag with no criteria, manually create a computer object, and assign the tag to the computer.(1192233)

Other fixes

• Reviewers are no longer given Global Administrator permissions after upgrading from 4.6.x to 5.1.x, or afterexporting permissions from 4.6.x to 5.1.x. (1165842)

• An error no longer occurs when rebuilding the server.keystore that can cause sustained high CPU use byeventparser.exe when parsing HDLP events. (1145404)

• The eventparser no longer crashes several times and eventually hangs and stops parsing events. (1145604)

• When the event parser showed "COM Error 0x8007000E, source=(null), desc=(null), msg=Not enough storageis available to complete this operation" in the Event Parser Log, it closed and started up with a newProcessID continuously, then eventually hung. Now this behavior does not occur. (1145604)

• When using the "checkInPackage" API command with a non-Global Administrator account, an "Authorizationfails" error no longer appears. (1146906)

• In the System Tree, when you tested sorting, you could only see systems with sorting enabled. Now allsystems remain visible. (1166071)

• McAfee ePO no longer provides an incorrect policy in rare circumstances when system-based policyassignments are used. (1161057)

• The stored procedure, EPODirSort_SearchCreateComputer, associates Audit Log entries, and the correctuser appears when a new system is added to the System Tree. (1127969)

• Excess Notify Agent errors no longer appear in the Audit Log after a deployment using DXL. (1149282)

• The Server Task page no longer takes 2–3 minutes to display in some circumstances. (1157280)

• When changing assignment criteria for the Policy Assignment Rule criteria, long request parameters nolonger cause unexpected errors. (1162479)

8

• When you check in the McAfee Endpoint Encryption version 7.X package and extensions to McAfee ePO, theAudit logs no longer contain many 'Delete policy object: "EE System -...' log entries. (1163797)

• An Apache out-of-memory condition no longer causes a failure to process data channel requests thatresulted in agent-server communication failures with "Connection refused" and "Server busy" errormessages. (1165874)

• Agents now show the "LDAP Location" under System Tree. (1166479)

• New user policies appear faster. (1166555)

• An SQL exception no longer appears in the Orion log when retrieving product settings for some extensions.(1167417)

• After importing a global reviewer permission set, users are no longer granted some global administrationpermissions. (1169577)

• If you configure custom properties on a McAfee Agent with the command msaconfig -CustomProps3"MyCustomProp3", then wake up the agent, or collect and send the properties from the McAfee Agent,clicking Action | Agent | Set Description, no longer deletes the configured custom properties. (1192911)

• When editing policies, policies are no longer listed twice after renaming or duplicating a policy until thescreen is refreshed. (1116241)

• You can now successfully browse for new users in a User-based Policy Assignment Rule with InternetExplorer 11. (1130526)

• After importing a permission set, the user no longer has access to product policies or tasks. (1135467)

• Exclusion tags assigned to a deployment task are no longer removed. (1138683)

• When editing policies, the Save and OK buttons are accessible, as expected. (1144868)

• The Delay this task setting is preserved in the run at startup schedule for client tasks. (1160942)

• McAfee ePO administrators can no longer obtain unauthorized read and write access to McAfee ePO via URLmanipulation. (1164199)

• When McAfee DXL is installed on the client, a push installation of the McAfee Agent expired immediatelywithout trying the installation. Now the installation starts as expected. (1167998)

• After importing Master Repository security keys packages, the repositories are no longer incorrectly markedas unsigned. (1169042)

• The task ownership page took 20–30 minutes to open if there were many Windows NT users to list. Now itopens quickly. (1169803)

• When Active Directory synchronization runs, some computers are no longer populated to unexpectedlocations in the System Tree. (1171403, 1198592)

• The Microsoft Visual C++ 2005 Redistributable Package is no longer installed or required by McAfee ePO.(1183184)

• Excess Notify Agent errors no longer appear in the Audit Log after upgrading McAfee ePO. (1183215)

• Agent-server communication no longer fails due to a maximum connection state when running an AD Synctask that is synchronizing many computer objects. (1195175)

• Server tasks no longer stop running when a McAfee ePO server is offline. Instead, the tasks continue to thenext server. (1198424)

• Manually assigned permission sets are visible to all administrators. (1110599)

9

• Adding or deleting a user to the UserDirectory no longer takes a long time to complete. (1124003)

• The LDAP sync server task no longer deletes user and group events for users that are still referenced byother groups. (1203000)

Known issuesFor a list of known issues in this product release, see this McAfee KnowledgeBase article: KB82675.

Installation instructionsThe current release of the product has specific installation requirements and best practices.

For information about installing or upgrading ePolicy Orchestrator software, see the McAfee ePolicy OrchestratorInstallation Guide.

Best practice: Run the Pre-Installation AuditorBefore you upgrade McAfee ePO, run the McAfee ePO Pre-Installation Auditor to reduce or prevent upgradeissues.

Running the auditor automates many of the verification tasks included in the upgrade process.

Task1 Download the McAfee ePO Pre-Installation Auditor from the McAfee ePO Downloads page:

secure.mcafee.com/apps/downloads/my-products/login.aspx

2 Double-click ePIP.exe to start the auditor, then follow the prompts.

For more information, see the McAfee ePO Pre-Installation Auditor Release Notes.

Requirements for installation or upgrade if using SSL connection to SQLServerYour installation or upgrade might fail if you use an SSL connection between your McAfee ePO 5.3.3 server andyour SQL database.

This release of McAfee ePO updated the RSA libraries that have additional security requirements forcommunication with the database. To meet the new compatibility requirements, install all available Windowsupdates on your McAfee ePO server and the SQL Server before starting the installation or upgrade.

For details, see McAfee KB87731 article, Installation or upgrade to ePolicy Orchestrator 5.3.3 and 5.9 fails whenusing SSL connection for SQL Server.

Enable TLS 1.1 or 1.2 on your browserThis version of McAfee ePO 5.3.3 requires enabling TLS 1.1 or 1.2 support on your browser.

To provide additional security for the communications between your web browser and your McAfee ePO server,you must enable TLS 1.1 or 1.2 support on your browser.

See the documentation for your browser to enable TLS 1.1 or 1.2 support.

10

Getting product information by emailThe Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help youincrease the functionality and protection capabilities of your McAfee products.

To receive SNS email notices, go to the SNS Subscription Center at https://sns.secure.mcafee.com/signup_loginto register and select your product information options.

Find product documentationOn the ServicePortal, you can find information about a released product, including product documentation,technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

Copyright © 2017 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Othermarks and brands may be claimed as the property of others.

0-00