SG 4 Update #20 – WeChat, HTTPS web server upgrade, enhanced security

This update adds the following enhancements:

• New wechat social network authentication
• HTTPS web server upgrade for enhanced security

• • Disable TLS 1.0 for PCI compliance
    • Note: TLS 1.0 shall be re-enabled in a subsequent update in order to fix the issue of Account Printer AP 2100 not connecting to the gateway.

• • Address the following security vulnerabilities:

• • • CVE-2015-1993 (Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute)
    • CVE-2015-4000 (Man-in-the-middle attack to downgrade vulnerable TLS connections to 512-bit export-grade cryptography aka Logjam)

• Enhanced security with additional system hardening
• Enhanced walled garden support for HTTPS domains without having to specify their IP addresses, especially for those served by content delivery networks
  • Note: pre-update ‘HTTPS Domains’ settings will now be under the ‘Proxy Domains’ tab
• Documentation update
  • API and CLI manuals
  • Contextual help for event manager
• API upgrade
  • social_embed to support 3 sizes of social media login icons
• Gateway’s default SSL certificate expiry extended to April 7, 2021

This update fixes the following bugs:

• With external success/error URL configured, successful PMS VIP login results in standard success/error page rather than the configured external link
• Invalid DHCP vendor-encapsulated-options value may cause downstream clients to fail to get IP address
• Some settings are not backed up:
  • Lawful Intercept
  • DHCP VLAN scope

Note: the gateway will automatically reboot upon successful patching.