Skylight performance element GX Release Notes 24.11
  • 02 Dec 2024
  • 3 Minutes to read
  • Contributors
  • PDF

Skylight performance element GX Release Notes 24.11

  • PDF

Article summary

These release notes cover the requirements, new features, and changes for the Skylight Element: GX firmware version 24.11, please read all notes prior to installing this firmware version. For more information, refer to: GX User Material

Requirements

This firmware version applies to the following Skylight element: GX, resulting from changes in the TLS version, the following software versions are compatible with Skylight orchestrator Version 1.3 and above:

7.1.1.1
7.3.0.3
7.4
7.5
7.6
7.7
7.8
7.8.1
7.8.2
7.8.2.1
7.8.3
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.5.1
7.9.6
7.9.6.1
8.0 (24.07.0)
8.1 (24.11)

Note: There is a patch available for earlier versions of Skylight orchestrator. Please contact Accedian support for further information.
Firmware Version 24.11.0_26148 (2024-12-02)

New Features and Enhancements

New Features and Enhancements
Assurance Sensor GT and GT-S release 24.11 introduces the following new features and enhancements.

Application and Interface Security
This release includes all Cisco application and interface security requirements, including:

• Control debuggers (CT1127: SEC-CSP-NOCDBG-2)
• Use HTTP Strict Transport Security (CT1652: SEC-HTP-HSTS-2)
• Validate all input before processing it (CT1735: SEC-VAL-CLNIN)
• Protect command processors from injection vulnerabilities by preventing the execution of arbitrary commands or code (CT1750: SEC-VAL-INEVAL-2)
• Prevent CSRF Vulnerabilities (CT1742: SEC-WEB-CSRF-3)
• Disable Unused HTTP Methods (CT1553: SEC-WEB-HTTPMETH-2)
• Avoid Open Redirects (CT522: SEC-WEB-NOREDIR)
• Specify type and encoding in HTTP responses; disable type sniffing (CT1665: SEC-WEB-RESP-3)
• Pass sensitive information only in request body or headers (CT1710: SEC-WEB-URLPARM-2)
• Prevent cross-site scripting vulnerabilities (CT2120: SEC-WEB-XSS-4)
• Prevent Click-Jacking (CT1711: SEC-WEB-CLCKJACK-2)
• Use secure Session Tokens (session IDs/state tokens) (CT1935: SEC-WEB-ID-4)
• Do not permit undocumented ways of gaining access to the offering (CT1901: SEC-CRE-NOBACK-2 (Disable backdoors/debug shell)

TCP Dump Feature Enhancement
This release includes new CLI commands to extract PCAP files.

Corrected Issues

CLI Not Prompting Password Change in Factory Default State
Implementation of the CLI Prompt when device is factory reset has been added.

About Page Removed
The about page, when accessed via the WEB UI, was showing outdated versions for openssl and dropbear. The page has now been removed.

Out of Date OpenSSl and Dropbear Versioning in UI About Page
The version for openssl and dropbear needs to be updated to the correct version on the About page in UI. The About page has now been removed.

IPv6 Static Configuration Not Showing After Checkbox for IPv6 Enabled
When you click on the checkbox for "IPv6 enable" and “Static Address” from the user interface, the IPv6 static configuration fields should be displayed, but actual result is that nothing is displayed.

Security Vulnerabilities
Security enhancements to ensure that system would not be vulnerable, including:
• Local privilege escalation
• Insufficient input sanitization
• Read permissions for sensitive data
• Session cookie
• Missing SSH fingerprint verification
• Credentials for server services
• Session cookie

Operational Considerations

Important Notes
This section documents the operational considerations related to Assurance Sensor GT-S 24.11.

IMPORTANT: Prior to upgrading the firmware on a unit where the History Buckets feature is enabled, certain precautions may need to be taken to prevent a loss of history data during the upgrade.
In a G.8032 ring configuration, the Assurance Sensor GT-S supports a maximum of 62 policies on the LAG port (i.e. policies that govern how traffic is dropped from the ring to UNI ports). This limitation does not apply to the UNI ports (i.e. policies that govern how traffic is added to the ring) unless the VLAN-tagged customer traffic is passed transparently from the UNI port to the ring through one-to-one mapping.
One way to avoid this limitation and maximize the number of usable UNI policies is to encapsulate multiple customer VLANs (coming from the UNI) under a single service provider VLAN on the ring. Doing so reduces the number of policies required by the LAG port.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.