FIRMWARE RELEASE NOTE ====================== Products affected: AXIS M3024-L Network Camera Release date: 2021-11-15 Release type: Production Firmware version: 5.51.7.5 Preceding release: 5.51.7.4 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/technical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 5.51.7.5 since 5.51.7.4 ======================================= 5.51.7.5:C01 Corrected CVE-2021-31987. 5.51.7.5:C02 Updated OpenSSL to version 1.1.1l to increase overall minimum cybersecurity level. 5.51.7.5:C03 Added an option to Disable or Enable TLSv1.0 or TLSv1.1 using param.cgi. [IPAddress]/axis-cgi/admin/param.cgi?action=update&root.HTTPS.AllowTLS1=no and [IPAddress]/axis-cgi/admin/param.cgi?action=update&root.HTTPS.AllowTLS11=no 5.51.7.5:C04 Corrected CVE-2021-31988. Corrections in 5.51.7.4 since 5.51.7.3 ======================================= 5.51.7.4:C01 Updated OpenSSL to version 1.1.1k to fix CVE-2021-3449 and CVE-2021-3450. 5.51.7.4:C02 Updated pwdgrp.cgi to be RFC compliant to work seamlessly with Home Assistant Systems. Corrections in 5.51.7.3 since 5.51.7.2 ======================================= 5.51.7.3:C01 Corrected an issue introduced in 5.51.7.2 that caused system instability. Corrections in 5.51.7.2 since 5.51.7.1 ======================================= 5.51.7.2:C01 Corrected a newline character in pwdgrp.cgi, introduced in 5.51.6, that could cause problems when parsing the response. 5.51.7.2:C02 Corrected an issue that prevented Action Rule Events from sending images via email. 5.51.7.2:C03 Corrected an issue that caused monolith to timeout and respawn during too many connect/disconnect RTSP streaming requests. 5.51.7.2:C04 Added support to enable/disable X-Frame-Options headers in the plainconfig. By default, X-Frame-Options is enabled and its value is set to "sameorigin". Corrections in 5.51.7.1 since 5.51.7 ===================================== 5.51.7.1:C01 Corrected an issue introduced in 5.51.7 that caused SD-card to become unreachable. Corrections in 5.51.7 since 5.51.6.2 ===================================== 5.51.7:C01 Added possibility to retrieve the device Owner Authentication Key (OAK) in the web GUI. Note that this functionality requires that the product have direct access to the internet. 5.51.7:C02 Updated the wpa-supplicant to version 2.9 to increase the overall cybersecurity level. The following cybersecurity vulnerabilities are fixed: CVE-2019-13377 CVE-2019-16275. 5.51.7:C03 Updated OpenSSL to 1.1.1d to increase the overall cybersecurity level. 5.51.7:C04 Added support for TLSv1.2. 5.51.7:C05 Updated the client-side URL transfer library (libcurl) to version 7.53.1 to increase the overall cybersecurity level. Corrections in 5.51.6.2 since 5.51.6.1 ======================================= 5.51.6.2:C01 Corrected an issue that caused admin users other than root not to be allowed to change user account passwords. 5.51.6.2:C02 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. 5.51.6.2:C03 Corrected an issue that caused camera to drop network connection when using 5.51.6.1 firmware. 5.51.6.2:C04 Added support for NAS over 2TB. Corrections in 5.51.6.1 since 5.51.6 ===================================== 5.51.6.1:C01 Added “X-Frame-Options: sameorigin” to the HTTP Response Headers in order to increase overall minimum cybersecurity level 5.51.6.1:C02 Updated Turkey (Istanbul) timezone to GMT +3. 5.51.6.1:C03 Improved robustness of the O3C client. Corrections in 5.51.6 since 5.51.5.2 ===================================== 5.51.6:C01 Improved robustness of the O3C client. 5.51.6:C02 Removed the root users default password in factory defaulted firmware. The password of the root user must be set first in order to initialize VAPIX and ONVIF interfaces to allow further configuration. This change only affects products in its factory defaulted state, products that are already deployed in production systems are not affected by this update until factory defaulted. Corrections in 5.51.5.2 since 5.51.5.1 ======================================= 5.51.5.2:C01 Corrected an issue that caused event notifications not been triggered on storage disruption. 5.51.5.2:C02 Improved re-connection behavior to AVHS server. The time between failed connection attempts will now gradually increase until a hard limit is reached. 5.51.5.2:C03 A user with administrator rights can now upload PTZ drivers for those cameras supporting this feature. Note that a factory default will be required to remove the old permissions sets from the firmware. 5.51.5.2:C04 Corrected an issue that caused an overload of the CPU after enabling IP adress filtering. 5.51.5.2:C05 Corrected common vulnerabilities in the Linux kernel to increase overall minimum cyber security level. CVE-2010-2960, CVE-2010-4175. 5.51.5.2:C06 Patched security vulernability CVE-2018-14526 in WPA supplicant to increase overall minimum cyber security level. Corrections in 5.51.5.1 since 5.51.5 ==================================== 5.51.5.1:C01 Corrected an issue that caused the action engine to respawn on scheduled triggered action events. 5.51.5.1:C02 Corrected an issue that caused SD cards to become full and write protected on rare occasions. Corrections in 5.51.5 since 5.50.5.14 ===================================== 5.51.5:C01 Updated R2 GlobalSign Root Certificate to version 20170717. 5.51.5:C02 Corrected an issue that let the camera become unresponsive in rare occasions when connected to an AVHS system. 5.51.5:C03 Corrected critical vulnerability ACV-128401. Known Bugs/Limitations ====================== 5.51.6.1:L01 When the automatic IR cut filter enables/disables the IR cut filter, it may trigger motion detection. 5.51.6.1:L02 To be able to use all parts of the image in a View Area use the 4:3 Aspect Ratio for the View Area. 5.51.6.1:L03 Recording streams to SD Card with a total bit rate above 12Mbit/sec may cause missing frames/sequences. 5.51.6.1:L04 90 and 270 rotation can cause a drop in frame rate. 5.51.6.1:L05 If max gain is set to a low value, e.g. 0, the IR cut filter may not switch back on automatically. 5.51.6.1:L06 To avoid corrupt recordings, it is recommended to unmount the SD Card before ejecting it. 5.51.6.1:L07 Private keys need to be in a PKCS#1 format in order to function when installing Certificates. 5.51.6.1:L08 Using control queue with Java Applet may result in wrong queue positions if switching between admin and viewer users. 5.51.6.1:L09 The ipv6.class field will have the same value in all IPv6 packages. The class field value depends on the value of the DSCP setting. 5.51.6.1:L10 Time modifiers used in the field "Create folder" is only used upon activation of the rule, hence no new folders are created with the current time during an active rule. To have new folders created with time modifiers you should add them in the "Base filename". 5.51.6.1:L11 Custom Exposure windows is not visible in Chrome and Firefox. Please use Internet Explorer. 5.51.6.1:L12 Longer connection disruptions towards the Network storage during playback of a recording from the Network storage may affect the possibilities to setup new video streaming also some time after reconnection. Ongoing live streaming will not be affected. 5.51.6.1:L13 To be able to seek in exported mkv recordings you need to use AXIS Matroska File Splitter, see axis.com. Files are playable both with and without AXIS Matroska File Splitter. 5.51.6.1:L14 SNMP OID that have been set are not kept after reboot. 5.51.6.1:L15 Once "Custom" Exposure Windows is chosen within the Java Exposure applet the browser login window keeps asking for credentials until you use root as login credentials. 5.51.6.1:L16 A combination of a high bandwidth continuous recording and a lot of small recordings can result in disc full. The automatic clean up will stop at the point and the user have to manually remove recordings. 5.51.6.1:L17 Number of different configured video streams is limited by hardware. 5.51.6.1:L18 I/O triggers need to be at least one second long for the device to accept the trigger. The minimum signal detection value can be changed in Plain Config for legacy support. 5.51.6.1:L19 When using a rotated overlay (90 or 270 degrees) and a large overlay text size simultaneously, the maximum allowed size of an overlay image is reduced to about 12 kB. 5.51.6.1:L20 The recordings database is not backwards compatible. A reformat of the SD-card is needed when installing older firmware. A reformat is also recommended when moving a SD-card from one camera to another. Supported AXIS VAPIX API Image Resolutions for AXIS M3024 ========================================================= Resolution Exceptions ========== ========== 1280x800 1280x720 1024x640 800x600 640x480 640x400 640x360 480x360 352x240 320x240 1440x900 1) 1024x768 1) 768x576 1) 704x576 1) 704x480 1) 384x288 1) 352x288 1) 1) Not visible in web user interface