OpsMgr: UNIX/Linux Heartbeat Failures After Applying KB2585542

The OpsMgr UNIX/Linux monitoring team at Microsoft is currently investigating an issue that results in heartbeat failures on Operations Manager UNIX/Linux agents after the security update KB2585542 is applied to a Management Server or Gateway.  This update fixes a vulnerability in SSL/TLS1.0, but appears to cause WS-Management connections to UNIX/Linux agents to fail. 

The vulnerability is described in bulletin MS12-006, and more information can be found in the KB article.  While we continue to investigate options for resolving this issue, there are two viable workarounds (which must be applied to all Mgmt Servers and Gateways that manage UNIX/Linux agents):

  1. Uninstall the update KB2585542 
  2. Make a registry modification to disable the SecureChannel changes implemented in the update

Note: the registry modification described here and in the KB article effectively disables the security fix that the update implements, so the modified system is subject to the same vulnerability as an unpatched system.

Modifying the registry to disable the SecureChannel changes:

  • A “FixIt” package is available in the KB article under the Known Issues section that can be used to disable the security update
  • Alternatively, you can add the 32bit DWORD value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    \SecurityProviders\SCHANNEL\

     SendExtraRecord = 2

These changes take effect immediately and do not require a reboot.

Advertisements

About Kristopher Bash
Kris is a Senior Program Manager at Microsoft, working on UNIX and Linux management features in Microsoft System Center. Prior to joining Microsoft, Kris worked in systems management, server administration, and IT operations for nearly 15 years.

10 Responses to OpsMgr: UNIX/Linux Heartbeat Failures After Applying KB2585542

  1. Diane says:

    Please note that this also breaks the Universal Connector, which relies on the same winrm communication.

  2. Kristopher Bash says:

    Thanks Diane!

  3. Shorty says:

    has anyone noticed an issue with agent discovery with windows machines as well? I’m not sure if it’s related to the linux hosts but I’m running into an issue where discovery fails for server OS’s bt works for client machines. Not sure if one of the security updates is causing the problem or not. Any help would be appreciated.
    BTW I am having the problem mentioned above and I can confirm that making the registry chnge will temporarily fix the issue until Microsoft finds a fix for it.

  4. Qartman says:

    This fixed up our problem, too! Thank you soooo much

  5. Daniel Mar says:

    This KB also breaks the communication between XenServer hosts being managed by SCVMM 2012

  6. Pingback: SCOM 2012, ilk sürüş testi – 2 « Sistem yönetimi

  7. Pingback: SCOM 2012 Linux Monitoring (Lab) Part 3.5 Agent Deployment | SCOMfaq.ch

  8. Pingback: Update KB2585542 causes HP OpenView connector for SCOM not send alerts to OMU server « Cloud Administrator

  9. Pingback: SCOM 2007 R2 CU2 – Deploy Agent to Sun Solaris 10 Zone (SPARC) | SCOMfaq.ch

  10. Pingback: Problems with the SCOM 2007 Cross Platform agent | Jonathan Horner

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: