Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to handle a possible denial of service state in Smart ID Digital Access component with versions 5.13.5 (Hybrid Access Gateway) and 6.0.2 to 6.1.2.

If you are running 6.0.0 or 6.0.1, please contact Digital Access support.

The information in this article is provided as a part of security measures and we urgently request you to apply the patches provided from 6.0.2 versions onwards respectively.

See the instructions below for the different versions. The patches can be found in the support portal.

Expand/Collapse All

The needed file can be accessed here: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

  1. Move the provided file access-point to the virtual appliance. (5.13.5/access-point)
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Go to /opt/nexus/access-point/bin.
  5. Stop the access point:

    Stop access point
    /etc/init.d/access-point stop
  6. Copy the current file access-point and save it in a different location.
  7. Remove the file access-point.
  8. Copy the provided file access-point to the folder /opt/nexus/access-point/bin.
  9. Set the correct permissions:

    Set the correct permissions
    chown pwuser:pwuser /opt/nexus/access-point/bin/access-point
  10. Start the access point:
    Start access point
    /etc/init.d/access-point start
  11. Make sure that everything works and also verify system logs to check for any anomalies.

The needed files can be accessed here under the respective version: https://support-old.nexusgroup.com/Release/?sub=/Denial%20of%20service%20fix%20-%20DA-798&cat=Nexus%20Smart%20ID%20Digital%20Access%20(HAG)

The steps to replace the access-point image is mentioned for 6.0.2. The same applies to 6.0.3 and 6.0.4 (just replace with respective filenames).


  1. Move the provided file DA-798-6.0.2.tar to the virtual appliance. 
  2. SSH into the machine.
  3. Exit from the bash menu and elevate the prompt (use, for example, sudo su - )
  4. Stop the access point:

    Stop access point
    docker exec orchestrator hagcli -s access-point -o stop
  5. Saving the existing access point image as backup:

    Check the image name by doing 'sudo docker ps'. The image name will either contain repo names 'crcommondevelopment92007.azurecr.io' OR 'repo.nexusgroup.com' Replace the repo_path accordingly below.

    Save current access point
    docker save <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514 -o /home/agadmin/access-point-6.0.2-original.tar
  6. Remove the above image:

    Remove old image
    docker image rm -f  <repo_path>/smartid-digitalaccess/access-point:6.0.2.26514
  7. Load the new image (assuming it is in /home/agadmin): 

    Load new image
    docker load -i /home/agadmin/DA-798-6.0.2.tar
    
    // Run the below commands only if the previous image repo_path was repo.nexusgroup.com
    docker image tag crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514 repo.nexusgroup.com/smartid-digitalaccess/access-point:6.0.2.26514
    
    docker image rm -f crcommondevelopment92007.azurecr.io/smartid-digitalaccess/access-point:6.0.2.26514
  8. Verify that it worked:

    1. Verify image
      docker image ls | grep access
    2. This should produce a return output similar to this:

      <repo_path>/smartid-digitalaccess/access-point           6.0.2.26514         58d0c3e7f973        13 hours ago        495MB
  9. Start the new access point:

    Start access point
    docker exec orchestrator hagcli -s access-point -o start
  10. Verify that the access point starts:

    Verify that access point starts
    docker ps

This instruction describes how to resolve a denial of service vulnerability in Digital Access 6.0.5 and above.

  1. SSH into the machine
  2. Make sure you have an active internet connection. If not then download the access point image from the nexusimages repo manually.

  3. Manually change the image tag for the access point image in /opt/nexus/docker-compose/versiontag.yml as per below table based on version OR upgrade to version 6.1.3 that includes the fix.

    VersionsTags
    6.0.56.0.5.100852
    6.0.66.0.6.100856
    6.0.76.0.7.100712
    6.1.06.1.0.100858
    6.1.16.1.1.100860
    6.1.26.1.2.100866
  4. Restart the services so that all instances of the access points are updated:

    Restart all services
    docker stack rm da  					//where da is the deployment stack name
    bash /opt/nexus/scripts/start-all.sh 	// to start the services
  5. Verify the access point version running:

    Check version
    sudo docker ps