SG 4 Update #20 – WeChat, HTTPS web server upgrade, enhanced security

Grace NacesArticles, Release Notes, SG 4 Release Notes

This update adds the following enhancements:

  • New wechat social network authentication
  • HTTPS web server upgrade for enhanced security
    • Disable TLS 1.0 for PCI compliance
      • Note: TLS 1.0 shall be re-enabled in a subsequent update in order to fix the issue of Account Printer AP 2100 not connecting to the gateway.
    • Address the following security vulnerabilities:
      • CVE-2015-1993 (Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute)
      • CVE-2015-4000 (Man-in-the-middle attack to downgrade vulnerable TLS connections to 512-bit export-grade cryptography aka Logjam)
  • Enhanced security with additional system hardening
  • Enhanced walled garden support for HTTPS domains without having to specify their IP addresses, especially for those served by content delivery networks
    • Note: pre-update ‘HTTPS Domains’ settings will now be under the ‘Proxy Domains’ tab
  • Documentation update
    • API and CLI manuals
    • Contextual help for event manager
  • API upgrade
    • social_embed to support 3 sizes of social media login icons
  • Gateway’s default SSL certificate expiry extended to April 7, 2021

This update fixes the following bugs:

  • With external success/error URL configured, successful PMS VIP login results in standard success/error page rather than the configured external link
  • Invalid DHCP vendor-encapsulated-options value may cause downstream clients to fail to get IP address
  • Some settings are not backed up:
    • Lawful Intercept
    • DHCP VLAN scope

Note: the gateway will automatically reboot upon successful patching.