Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Paragon Active Assurance] Ubuntu patch for python-django causes Control Center to fail with 500 Internal Server Errors

0

0

Article ID: KB37128 KB Last Updated: 03 Jun 2021Version: 2.0
Summary:

This article is to inform the users of Paragon Active Assurance*(formerly Netrounds) about the impact and workaround*(temporary) for the issue caused if the Ubuntu package python-django version 1:1.11.11-1ubuntu1.14 has been installed at the Paragon Active Assurance Control Center.

This is regarded as critical severity from Juniper Networks and we recommend immediate action to be taken to avoid this version from being installed. Note that Ubuntu may be configured to automatically download and install patches unattended as a background process – in this case, we recommend temporarily stopping this process.

Juniper will soon provide a Control Center maintenance release, version 3.0.2, addressing this incompatibility issue.

Symptoms:

Impact: 
An outage of the Paragon Active Assurance Control Center, affects both web-UI, APIs, and running Test and Monitors. There is no immediate security risk identified with this issue.

Affected products and versions:
Paragon Active Assurance Control Center version 2.35, 2.36, 3.0.0, and 3.0.1. The Paragon Active Assurance Test Agent is not affected by this issue.
Paragon Active Assurance provided as SaaS operated by Juniper Networks has been patched and is not affected.

How to verify if affected:

  1. To verify if the affected Django package has been installed on the Control Center execute the following command:

    $ apt-cache policy python-django

    If the installed version is 1:1.11.11-1ubuntu1.14 then the Control Center is affected by this issue. If this shows an earlier version, for example, 1:1.11.11-1ubuntu1.13, then the system is not affected and will continue to operate as normal.

  2. If you are running Control Center 3.0.2 or later, you are also not affected by this issue, regardless of the python-django version used. Check the footer of the web-UI or the installed version with this command:

    $ apt-cache policy paa-common
Cause:

If the Ubuntu package python-django version 1:1.11.11-1ubuntu1.14 has been installed at the Paragon Active Assurance Control Center then it will fail to execute giving HTTP 500 errors effective halting all operations causing an outage.

Solution:

Recommended Actions and Workaround


Avoid automatic installation:

To avoid automatically installing the incompatible django-package it is advised to disable unattended upgrades for the Control Center until a Control Center patch release has been applied.

  1. 1. Verify if the service is running:

    $ sudo systemctl status unattended-upgrades | grep Active

    You may see output similar to 'Active: active (running) since Thu 2021-06-03 08:28:42 UTC; 1h 28min ago'. If the service is running Ubuntu, it may attempt to install the affected patch automatically in the background.

  2. Deactivate the service if it is running:

    $ sudo systemctl stop unattended-upgrades

  3. Mask the service in order to avoid other services. Start it again after a reboot:

    $ sudo systemctl mask unattended-upgrades

  4. Ensure the service is not running:

    $ sudo systemctl status unattended-upgrades

Actions if the release has been installed:

If the 1:1.11.11-1ubuntu1.14 version has already been performed, it is required to rollback this patch to restore the Control Center. This can be done with the following procedure.

  1. (Required) Manually download the 1ubuntu1.13 version of python-django and python-django-common:

    $ wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/21471722/+files/python-django_1.11.11-1ubuntu1.13_all.deb
    $ wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/21471722/+files/python-django-common_1.11.11-1ubuntu1.13_all.deb
  2. Install these packages:

    $ sudo apt-get install -y --allow-downgrades ./python-django_1.11.11-1ubuntu1.13_all.deb ./python-django-common_1.11.11-1ubuntu1.13_all.deb
  3. (Required) Restart the affected process:

    $ sudo systemctl restart "netrounds-*" apache2
  4. In order to keep the option of installing other Ubuntu patches using regular update processes, its possible to mark these two packages as “hold” status to avoid unintentional upgrades to an incompatible version. This may be done with this command:

    $ sudo apt-mark hold python-django python-django-common
  5. Remember to undo this hold status in the future when applying a patch with a later Control Center release including the fix:

    $ sudo apt-mark unhold python-django python-django-common

 

Long term solution

For a long-term solution, we recommend all customers upgrade to release 3.0.2 which will be released shortly.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search