Skylight performance element GX Release Notes 24.07

These release notes cover the requirements, new features, and changes for the Skylight Element: GX firmware version 24.07, please read all notes prior to installing this firmware version. For more information, refer to: GX User Material

Requirements

This firmware version applies to the following Skylight element: GX, resulting from changes in the TLS version, the following software versions are compatible with Skylight orchestrator Version 1.3 and above:

• 7.1.1.1
• 7.3.0.3
• 7.4
• 7.5
• 7.6
• 7.7
• 7.8
• 7.8.1
• 7.8.2
• 7.8.2.1
• 7.8.3
• 7.9
• 7.9.1
• 7.9.2
• 7.9.3
• 7.9.4
• 7.9.5
• 7.9.5.1
• 7.9.6
• 7.9.6.1

Firmware Version 24.07.0_25861 (2024-08-09)

New Features and Enhancements

The Skylight performance element GX release 24.07 introduces the following new features and enhancements.

Change Release Number
Release naming convention has been changed to represent year and month of release and the release numbers will no longer be shown in an increasing numerical sequence, for example 8.0 to 8.1. Instead, they will represent the year and month of the release, for example: 24.07 for July 2024.

Analyze Linux Vulnerabilities
The version for openssl has been updated to the correct version (3.0.14) and dropbear has been updated to the correct version 2024.85 and the following issues have also been fixed:
• CVE-2013-2094
• CVE-2014-3153

• Security compliances (CSDL/CSERV, Corona, TPSCRM)

Addressed Issues

Drop Opposite Traffic Warning Was Not Present
When enabling the checkbox of “Drop Opposite Traffic” in OAM Loopback, there was no warning that dropping opposite traffic would drop all the traffic entering the device on the opposite port. Warning has been added via pop-up: “Configuration changes are service affecting, Are you sure you want to proceed?” to warn users of the implications.

This issue has been fixed.

False PTP Alarm not Clearing
System-Configuration-Time was showing PTP synchronization status as synchronized, however the device was raising alarm error code 7.0001.05, even though there was no network changes or changes that would trigger this alarm.

This issue has been fixed.

Unable to use Netcraker to configure the device
The device is sending inaccurate information after performing unsuccessful configuration import via Netcracker. It shows import success and reboot success, however the device did not have the imported file and was then unable to reboot.

This issue has been fixed.

Security Vulnerabilities
The following issues have been fixed:

• Weak ssh--dss host key algorithm
• Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
• GoAhead Server HTTP Header Injection Vulnerability (CVE-2019-16645)

Security Vulnerabilities
The following issues have been fixed:Local privilege escalation

• Insufficient input sanitization
• Read permissions for sensitive data

Security Vulnerabilities
Security vulnerabilities check. The following issues have been fixed:

• Maximum SSH connection to device (5 sessions): Verify able to connect up to 5 SSH session to device successfully

• Netconf connection to device: Enable Netconf on device, establish the Netconf connection to device by the below command:
  ssh admin@10.231.82.31 -p 830 -s netconf

• Terrapin Scanner tool to scan the issue (CVE-2023-48795)

• SSH to device with debug option

• Update dropbear to v2024.85

Operational Considerations

Important Notes

• The Skylight element: LT firmware is delivered in a consolidated file prefixed by “ACC”, e.g. ACC_7.X_YYYY.afl. This file contains the firmware for the GT, GX , LX and LT Performance Element products. It cannot be used with any other product.
• IMPORTANT: Prior to upgrading the firmware on a unit where the History Buckets feature is enabled, certain precautions may need to be taken to prevent a loss of history data during the upgrade.
• After upgrading to 7.9.1 or 7.9.2, the SCP is no longer able to send files, reporting the following error: Code = 3: URL using bad/illegal format or missing URL. This is due to a syntax change and customer needs to edit the URL after upgrading to 7.9.2 or 7.9.3.
  The URI generic syntax (in RFC 3986) consists of a hierarchical sequence of five components: URI = SCHEME ':' ['//' AUTHORITY] PATH ["?" QUERY] ["#" FRAGMENT]. In this, AUTHORITY = [USER_INFO "@"] HOST [":" PORT]. The AUTHORITY part and the PATH part are isolated by the slash ('/') character if the AUTHORITY exists.