Skip to content

Security Fixes and Enhancements

Disable TLS 1.0 & TLS 1.1 by default

This release modifies the default  behavior of gateway's TLS 1.0 & 1.1 configuration and disables the applicable ciphers as they have been deprecated and reached End of Life (EoL) status.

Spring cleaning - public directories

All the unwanted files from public directory have been removed to reduce the attack vector.

AuthSessionKey NOT getting immediately expired after login

AuthSessionkey which was not getting expired is fixed in this release. Now it's getting expired immediately after login.

Buffer overflow in CGIs

Buffer overflow vulnerability in CGIS has been fixed in this release.

Core File generation after sending large values in XML tags and headers

Core file generation issue due to improper handling of large values in XML tags and headers is fixed in this release.

XML parsing Error

XML parsing error is handled properly reducing the XML related attacks.

Prevent log Injection in logout call

Token is implemented in the logout call to uniquely identify the session.

SQL injection XML parameter

SQL injection vulnerability is fixed, and all the user client-side inputs are properly validated and sanitized

Prevent cgi reply attacks

Sessionid is implemented in the CGI call to uniquely identify the session of the user.

HTTP smuggling attack

This is fixed in this release. Restriction has been applied on user input and few headers to mitigate this vulnerability.

Client configuration file service exit mode password disclosure

Password tag has been removed from the client configuration file in this release.

Secure transmission of username & password between Hylite & Database

Communication has been encrypted between Hylite and DB.

Updated jQuery version

jQuery has been updated in this release.

Verify that HTTP response headers include security headers for API calls

Various security headers have been added in this release to enhance the security posture.

OpenSSL, OpenSSH and Kernel version update

All the components have been updated to the latest secure versions.

Reflected XSS in username parameter

Error message has been shown properly thus XSS attack vector has been eliminated.

Password transmitting in clear text in RDP call

Password field has been removed from the call hence password is no more visible.

Session Management

Security of the user session has been enhanced by proper implementations of SessionIDs and Tokens in API calls.

XML entity expansion injection

Changes have been done in XML Parser to handle large entities thus DOS attack vector has been mitigated.

Username & domain name transmitted as part of GET request

Request method has been changed from GET to POST

Removal of server headers

Details of server has been removed from the server headers.

Internal IP address disclosure

Server Errors have been handled properly in order to prevent exposure of any sensitive information.

Tomcat upgrade

Tomcat has been upgraded to the latest secure version.

Potential network Denial of Service (DoS) / Bill Shock in HySecure Cloud Deployments

Network diagnostics functionality has been removed from the login page hence the attack vector has been eliminated.

Hide internal module configuration file from direct public access

Access to internal module conf file has been restricted in HyLite

Upgrade Internal Components of Server

All the components have been upgraded to latest secure version

Usage of self-signed certificate with common name accops.com during preboot

"accops.com" has been replaced with "XX" in certificate common name during preboot.

Slowloris Attack

Mitigation for Slowloris attack has been implemented.