Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article describes how to handle a possible denial of service state in Smart ID Digital Access component with versions 5.13.5 (Hybrid Access Gateway) and 6.0.2 to 6.1.2.

If you are running 6.0.0 or 6.0.1, please contact Digital Access support.

The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided from 6.0.2 versions onwards respectively.

See the instructions below for the different versions. The patches can be found in the support portal.

 HAG 5.13.5

The needed file can be accessed here: https://support.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

  1. Move the provided file access-point to the virtual appliance. (access-point_5.13.5.dev_i386.deb)
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Go to /opt/nexus/access-point/bin.
  5. Stop the access point:

    Stop access point
    /etc/init.d/access-point stop
  6. Copy the current file access-point and save it in a different location.
  7. Remove the file access-point.
  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.
  9. Set the correct permissions:

    Set the correct permissions
    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point
  10. Start the access point:
    Start access point
    /etc/init.d/access-point start
  11. Make sure that everything works and also verify system logs to check for any anomalies.
 Digital Access 6.0.2, 6.0.3, 6.0.4

The needed files can be accessed here under the respective version: https://support.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

The steps to replace the access-point image is mentioned for 6.0.2. The same applies to 6.0.3 and 6.0.4 (just replace with respective filenames).


  1. Move the provided file DA-798-6.0.2.tar to the virtual appliance. 
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Stop the access point:

    Stop access point
    docker exec orchestrator hagcli -s access-point -o stop
  5. Save the current access point as backup:

    Save current access point
    docker save repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar
  6. Remove the old image:

    Remove old image
    docker image rm -f  repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514
  7. Load the new image (assuming it is in /home/agadmin):

    Load new image
    docker load -i /home/agadmin/DA-798-6.0.2.tar
  8. Verify that it worked:

    1. Verify image
      docker image ls | grep access
    2. This should produce a return output similar to this:

      repo.nexusgroup.com/smartid-digitalaccess/access-point           6.0.2.26514         58d0c3e7f973        13 hours ago        495MB
  9. Start the new access point:

    Start access point
    docker exec orchestrator hagcli -s access-point -o start
  10. Verify that the access point starts:

    Verify that access point starts
    docker ps
 Digital Access 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1 and 6.1.2

This instruction describes how to resolve a denial of service vulnerability in Digital Access 6.0.5 and above.

  1. SSH into the machine
  2. Make sure you have an active internet connection. If not then download the access point image from the nexusimages repo manually.

  3. Manually change the image tag for the access point image in /opt/nexus/docker-compose/versiontag.yml as per below table based on version OR upgrade to version 6.1.3 that includes the fix.

    VersionsTags
    6.0.56.0.5.100852
    6.0.66.0.6.100856
    6.0.76.0.7.100712
    6.1.06.1.0.100858
    6.1.16.1.1.100860
    6.1.26.1.2.100866
  4. Restart the services so that all instances of the access points are updated:

    Restart all services
    docker stack rm da  					//where da is the deployment stack name
    bash /opt/nexus/scripts/start-all.sh 	// to start the services
  5. Verify the access point version running:

    Check version
    sudo docker ps
  • No labels