On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode that may affect EMC Isilon OneFS customers.
The following release contains the resolution to this issue:
EMC Isilon OneFS 7.1.1.2
EMC recommends that all customers running versions prior to 7.1.1.2 upgrade to the version listed above at the earliest opportunity.
Isilon Engineering is continuing to develop fixes for the other code branches. This ESA will be updated when fixes are available for additional versions.
Note: The following versions of EMC Isilon OneFS will not be remediated:
EMC Isilon OneFS 6.5.x
EMC Isilon OneFS 7.0.1.x
EMC Isilon OneFS 7.1.0.x
I am trying to understand if version 7.1.0.x will be patched at some point ?
No, 7.1.0.x is not slated to receive a patch for this issue, at present. I believe 7.0.2.x and 7.2.0.x are slated to receive a fix in a future maintenance release. I can't speak to why 7.1.0.x was omitted.
i am rasing a stink about this with my sales team. By refusing to patch the 7.1.0.x version you are effectively saying you not supporting that version ?
While I don't have control over patch releases, I have begun a discussion with a colleague who's in the know to try to find out why 7.1.0.x isn't on the list. Please stay tuned...
fresh of the press, the latest copy of "EMC Software Release and End of Service Life Notifications". Does anyone else think it's a problem that Isilon refuses to support their product ?
Let me clarify some of the conversation that has been happening on this thread - I work within the Product Management team on EMC Isilon.
As a direct answer to the original question, you should work with support to request a 7.1.0.x patch for the specific vulnerability. We make calls on doing patches based on a bunch of circumstances (severity of the issue, ability to patch - sometimes a vulnerability cannot be patched, broadness of applicability etc). We fully support 7.1.0.x. For this specific instance, just the timing of the issue was such that it didn't allow us to patch 7.1.0.x releases and there isnt a set date for the patch.
Now going to a more general discussion so that there is clarity around how we think about releases. In Isilon parlance, let's understand what major and minor releases are. If we number a release 'a.b.c.d', for us, a major code family is a.b, and a minor code family is a.b.c. As an example, 7.1 is a major code release family and 7.1.0 or 7.1.1 are minor code release families within the 7.1 major families. Our general policy (and there are always exceptions as I described above) is that when a minor family reaches target code status, it succeeds all prior minor families. We continue to make changes and fixes to the target code branch. In general (and every customer has their set of constraints), we encourage customers to upgrade to the latest target code.
There are two rationales for doing this:
1. To enable customers to take advantage of the fixes we continually make
2. Efficiency from an engineering standpoint
So, when the prior posting says that 7.1.0 is not being fixed, that is an incomplete statement. We continue to make fixes on the 7.1 major release branch and specifically within the 7.1.1 minor code branch now that the latter has attained target code status. Of course, as I described earlier, you _always_ have the ability to request patches on a supported code branch through support.
Do let me know if there are follow on questions or concerns that I can help address. Thank you for being an EMC Isilon customer.
So, when the prior posting says that 7.1.0 is not being fixed, that is an incomplete statement.
this is not an incomplete statement, this is an incorrect statement, we agree on that ? There is a difference in saying "will not be remediated" and "will be remediated as soon a solution is available"
So to summarize, is Isilon committing to support 7.1.0.x until Oct 31, 2016 ? I am not asking for new features, i am not asking for new widgets. I want to make sure you are committing to fixing bugs and address security vulnerabilities. We are paying a couple of million dollars in premium support every year. I don't have to beg for you to support something that we just bought last spring.
Ashish's comments are not only accurate but precise. Perhaps the angst around this topic revolves around a common misconception.
When a customer buys a license for OneFS, they are buying a major version. As Ashish says, major versions are 6.5, 7.0, 7.1, 7.2, etc. I call these 'single-dot' releases, for obvious reasons. The common misconception is that what you purchase as a customer is a minor, or 'double-dot' release. You don't. You buy single-dot releases and maintenance to them.
EMC Isilon is committed to providing service and support for the major releases. How it accomplishes that business function is found in detail in the legal T&Cs, but in the colloquial, EMC Isilon does this via two mechanisms:
1) minor releases, aka 'double-dot', which are developed and issued periodically. As Ashish says, examples of minor releases in the 7.1 major release train are 7.1.0 and 7.1.1. For the last two years, EMC Isilon did two or three minor releases each year. Starting in late 2012, we did 7.0.0, 7.0.1 and finally 7.0.2 minors for the 7.0 major. Starting in late 2013, similarly, we did 7.1.0 and 7.1.1 minors for the 7.1 major. Here we are in 2015.
2) maintenance releases, which are periodic updates containing fixes to minor releases. Examples are 7.0.2.9, 7.1.0.6 and 7.1.1.2.
The operational support of the 7.1 major release is provided via the designated target code for that major. Over time, for any given major, the target changes as EMC Isilon provides updates, enhancements and fixes. As Ashish mentions, the target code for the 7.1 major is slated for the 7.1.1 minor, specifically at whatever triple-dot MR version is chosen by EMC Isilon Support. 7.1.1 supersedes the prior minor 7.1.0.
So in summary, you don't buy/license minor releases - you buy/license major releases. While it is true that at some points in time, there are two minor releases in the field corresponding to the same major - there is typically one and only one designated target code for that major. This is natural given the overlap of releases as well as the time taken by EMC Isilon support to accumulate enough runtime on a given minor to be satisfied that it's ready to be a target code for the given major. That is a point often not understood by customers - target code designation takes time and effort, and there will be overlap while that happens. We are at that point with the 7.1.1 minor.
Besides, you _want_ to be on 7.1.1...it's demonstrably superior - using several different relevant metrics - than its minor release predecessor. The 7.1 OneFS major license you paid for is well-served with 7.1.1.
Finally, as Ashish said, there are always exceptions, and if you feel you have an exceptional case that requires a patch or another MR on the 7.1.0 minor, then please do work with your account team as you (Sergey) already stated you are. In either case, you will have a fix available.
Hope that helps. If the goal is to remediate the bug, we have you covered.
Again, take this FWIW. As Ashish said, thank you for being an EMC Isilon customer.
Thank you Rob. Maybe having two minor releases makes sense in your development cycle but as a very very long EMC customer who is familiar with other EMC platforms (Enginuity, Flare/Dart, DDOS) this is confusing and frustrating. If i am on 7.1 and it's listed in your EOPS document as supported, then i expect it to be supported whether i am on 7.1.1 or 7.1.0
When can we expect an announcement from Isilon about 7.1.0.x patch ?
To clarify terminology so that I can answer your question without ambiguity:
1. Patch: Generated by customer request (akin to a Hotfix on other products)
2. Maintenance release: Collection of patches and/or other defects. This is usually planned once there is a sufficient payload.
To answer your question, we can generate a patch on 7.1.0. It is based on customer request. For scalability reasons, this gets triggered through an SR through our support. Could you please raise that SR? That way the right folks on our end are engaged and the response and release vehicles will then work through the process.
Maintenance releases are typically the ones announced. Right this minute, there isnt a sufficient payload for 7.1.0 to plan to a 7.1.0 maintenance release.
BernieC
76 Posts
0
January 28th, 2015 00:00
No, 7.1.0.x is not slated to receive a patch for this issue, at present. I believe 7.0.2.x and 7.2.0.x are slated to receive a fix in a future maintenance release. I can't speak to why 7.1.0.x was omitted.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 28th, 2015 03:00
Hmm, this is a problem. EOPS for 7.1.0.x has not even been announced yet but you are refusing to patch it ?
https://support.emc.com/docu45445_Isilon-Product-Availability.pdf
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 28th, 2015 07:00
i am rasing a stink about this with my sales team. By refusing to patch the 7.1.0.x version you are effectively saying you not supporting that version ?
BernieC
76 Posts
0
January 28th, 2015 07:00
While I don't have control over patch releases, I have begun a discussion with a colleague who's in the know to try to find out why 7.1.0.x isn't on the list. Please stay tuned...
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 28th, 2015 08:00
Thank you Bernie
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 29th, 2015 06:00
fresh of the press, the latest copy of "EMC Software Release and End of Service Life Notifications". Does anyone else think it's a problem that Isilon refuses to support their product ?
sluetze
300 Posts
0
January 29th, 2015 07:00
of course this is a problem. It may be a strategy to force the customers to switch on a more widely spreaded codebranch so they can focus on this.
Since the bugs I report i.e. for 7.0.2 get fixed in other code-branches (7.1.1) I stopped to expect patches / MRs for my codeversions...
from my point of view 7.1.0 is like a stepchild. it's there but it's not really welcome
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 29th, 2015 07:00
that is not going to fly, if Isilon releases a version of software they are on the hook to support it until it meets their EOPS date.
Peter_Sero
1.2K Posts
0
January 29th, 2015 07:00
What scares me more is seeing six code branches being offered as GA at the same time, with four target codes.
While one might argue that "choice" is good, a bit more focus should help producing better code with present resources...
Support for A.B.c.* can also mean: MINOR(!) update to A.B.d.* if I am not mistaken here.
Just my 2 cents
-- Peter
aap1
12 Posts
0
January 29th, 2015 18:00
Let me clarify some of the conversation that has been happening on this thread - I work within the Product Management team on EMC Isilon.
As a direct answer to the original question, you should work with support to request a 7.1.0.x patch for the specific vulnerability. We make calls on doing patches based on a bunch of circumstances (severity of the issue, ability to patch - sometimes a vulnerability cannot be patched, broadness of applicability etc). We fully support 7.1.0.x. For this specific instance, just the timing of the issue was such that it didn't allow us to patch 7.1.0.x releases and there isnt a set date for the patch.
Now going to a more general discussion so that there is clarity around how we think about releases. In Isilon parlance, let's understand what major and minor releases are. If we number a release 'a.b.c.d', for us, a major code family is a.b, and a minor code family is a.b.c. As an example, 7.1 is a major code release family and 7.1.0 or 7.1.1 are minor code release families within the 7.1 major families. Our general policy (and there are always exceptions as I described above) is that when a minor family reaches target code status, it succeeds all prior minor families. We continue to make changes and fixes to the target code branch. In general (and every customer has their set of constraints), we encourage customers to upgrade to the latest target code.
There are two rationales for doing this:
1. To enable customers to take advantage of the fixes we continually make
2. Efficiency from an engineering standpoint
So, when the prior posting says that 7.1.0 is not being fixed, that is an incomplete statement. We continue to make fixes on the 7.1 major release branch and specifically within the 7.1.1 minor code branch now that the latter has attained target code status. Of course, as I described earlier, you _always_ have the ability to request patches on a supported code branch through support.
Do let me know if there are follow on questions or concerns that I can help address. Thank you for being an EMC Isilon customer.
Regards
Ashish Palekar
T: @logicalblock
B: http://logicalblock.wordpress.com
dynamox
2 Intern
2 Intern
•
20.4K Posts
1
January 29th, 2015 18:00
this is not an incomplete statement, this is an incorrect statement, we agree on that ? There is a difference in saying "will not be remediated" and "will be remediated as soon a solution is available"
So to summarize, is Isilon committing to support 7.1.0.x until Oct 31, 2016 ? I am not asking for new features, i am not asking for new widgets. I want to make sure you are committing to fixing bugs and address security vulnerabilities. We are paying a couple of million dollars in premium support every year. I don't have to beg for you to support something that we just bought last spring.
peglarr
99 Posts
1
January 30th, 2015 08:00
Some perspective...take it FWIW.
Ashish's comments are not only accurate but precise. Perhaps the angst around this topic revolves around a common misconception.
When a customer buys a license for OneFS, they are buying a major version. As Ashish says, major versions are 6.5, 7.0, 7.1, 7.2, etc. I call these 'single-dot' releases, for obvious reasons. The common misconception is that what you purchase as a customer is a minor, or 'double-dot' release. You don't. You buy single-dot releases and maintenance to them.
EMC Isilon is committed to providing service and support for the major releases. How it accomplishes that business function is found in detail in the legal T&Cs, but in the colloquial, EMC Isilon does this via two mechanisms:
1) minor releases, aka 'double-dot', which are developed and issued periodically. As Ashish says, examples of minor releases in the 7.1 major release train are 7.1.0 and 7.1.1. For the last two years, EMC Isilon did two or three minor releases each year. Starting in late 2012, we did 7.0.0, 7.0.1 and finally 7.0.2 minors for the 7.0 major. Starting in late 2013, similarly, we did 7.1.0 and 7.1.1 minors for the 7.1 major. Here we are in 2015.
2) maintenance releases, which are periodic updates containing fixes to minor releases. Examples are 7.0.2.9, 7.1.0.6 and 7.1.1.2.
The operational support of the 7.1 major release is provided via the designated target code for that major. Over time, for any given major, the target changes as EMC Isilon provides updates, enhancements and fixes. As Ashish mentions, the target code for the 7.1 major is slated for the 7.1.1 minor, specifically at whatever triple-dot MR version is chosen by EMC Isilon Support. 7.1.1 supersedes the prior minor 7.1.0.
So in summary, you don't buy/license minor releases - you buy/license major releases. While it is true that at some points in time, there are two minor releases in the field corresponding to the same major - there is typically one and only one designated target code for that major. This is natural given the overlap of releases as well as the time taken by EMC Isilon support to accumulate enough runtime on a given minor to be satisfied that it's ready to be a target code for the given major. That is a point often not understood by customers - target code designation takes time and effort, and there will be overlap while that happens. We are at that point with the 7.1.1 minor.
Besides, you _want_ to be on 7.1.1...it's demonstrably superior - using several different relevant metrics - than its minor release predecessor. The 7.1 OneFS major license you paid for is well-served with 7.1.1.
Finally, as Ashish said, there are always exceptions, and if you feel you have an exceptional case that requires a patch or another MR on the 7.1.0 minor, then please do work with your account team as you (Sergey) already stated you are. In either case, you will have a fix available.
Hope that helps. If the goal is to remediate the bug, we have you covered.
Again, take this FWIW. As Ashish said, thank you for being an EMC Isilon customer.
Cheers
Rob
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
January 30th, 2015 13:00
Thank you Rob. Maybe having two minor releases makes sense in your development cycle but as a very very long EMC customer who is familiar with other EMC platforms (Enginuity, Flare/Dart, DDOS) this is confusing and frustrating. If i am on 7.1 and it's listed in your EOPS document as supported, then i expect it to be supported whether i am on 7.1.1 or 7.1.0
When can we expect an announcement from Isilon about 7.1.0.x patch ?
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
February 5th, 2015 07:00
Dear Isilon ..can i get an answer ?
aap1
12 Posts
0
February 5th, 2015 08:00
And the answer is that it is supported.
To clarify terminology so that I can answer your question without ambiguity:
1. Patch: Generated by customer request (akin to a Hotfix on other products)
2. Maintenance release: Collection of patches and/or other defects. This is usually planned once there is a sufficient payload.
To answer your question, we can generate a patch on 7.1.0. It is based on customer request. For scalability reasons, this gets triggered through an SR through our support. Could you please raise that SR? That way the right folks on our end are engaged and the response and release vehicles will then work through the process.
Maintenance releases are typically the ones announced. Right this minute, there isnt a sufficient payload for 7.1.0 to plan to a 7.1.0 maintenance release.
Does this help?
Regards
Ashish Palekar
@logicalblock