Reflection for Secure IT Gateway 1.1 Service Pack 1 Release Notes

Updated April 2018

IMPORTANT:Reflection for Secure IT Gateway 1.1 Service Pack 1 Update 1 was released in April 2018. In it, FasterXML components were updated to version 2.9.5 as advised in the National Vulnerability Database CVE-2018-7489. For more information on this vulnerability, visit the National Vulnerability Database website.

1.0 What’s New?

The following outline the key improvements and functions provided by this version, as well as issues resolved in this release:

1.1 Version Identification

This release is identified as version 1.1.1.1066, which is displayed in the Gateway Administrator on the About tab.

1.2 Enhancements

Reflection for Secure IT Gateway 1.1 Service Pack 1 includes the following improvements:

  • New Cryptographic Module for Secure Connections

    The Reflection for Secure IT Gateway product has been updated to use a new cryptographic module for providing encrypted connections and secure file transfer.The previous third-party cryptography provider for Reflection for Secure IT Gateway had announced the end of support for their cryptographic module, which is the reason for this change. From this point onwards, all future security updates related to cryptography will be addressed by Micro Focus in the Reflection for Secure IT Gateway 1.1 SP1 release and its successors.Micro Focus strongly recommends that customers upgrade to Reflection for Secure IT Gateway 1.1 SP1 at the earliest opportunity. Failing to upgrade to this new version could place them out of compliance with regulatory requirements such as PCI-DSS, which require that critical security libraries be up to date and supported. Failing to upgrade could also put customers at risk if a new security vulnerability is announced, because security patches are not expected to be available for the older cryptographic modules used in previous versions of the Reflection for Secure IT Gateway product.

  • Updated platform support to include Microsoft Windows Server 2016.

  • Addressed several security vulnerabilities. See Section 2.0, Security Improvements for the vulnerabilities addressed in this release.

2.0 Security Improvements

Reflection for Secure IT Gateway addresses the following vulnerabilities:

  • CVE-2016-6802: Updated to Apache Shiro 1.3.2 to prevent attackers from bypassing intended servlet filters to gain access by leveraging use of a non-root servlet context path.

  • CVE-2017-12624: Updated to Apache CXF 3.2.1 to prevent the crafting of a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider.

  • CVE-2015-4000: Updated the DHE keysize from 1024 to 2048 to address the vulnerability for weak DH group key exchange.

  • CVE-2017-10989: Updated to SQLite 3.20.1 to address a heap-based buffer over-read which mishandled RTree blobs.

  • CVE-2017-5661: Apache FOP has been removed from the product.

  • CVE-2016-2183 and CVE-2016-6329: Weak 64-bit block ciphers ("Sweet32" attack) have been removed.

  • CVE-2017-9735: Updated to Jetty 9.4.6.v20170531 to prevent a timing channel in util/security/Password.java.

  • CVE-2010-2232: Updated to Apache Derby 10.14.1.0 to prevent export processing from overwriting an existing file.

  • CVE-2016-1000031: Updated to Apache Commons FileUpload 1.3.3 to prevent DiskFileItem File Manipulation remote code execution

  • The RSA BSAFE Crypto-J and SSL-J libraries have been replaced with the Bouncy Castle FIPS cryptographic libraries.

  • Product updated to Oracle Java 8 Update 151.

  • Product updated to OpenSSL v1.0.2n.

3.0 Server System Requirements and Installation

Reflection for Secure IT Gateway 1.1 Service Pack 1 system requirements and supported platforms:

Supported Platforms

  • Microsoft Windows Server 2016 on Intel or equivalent, 64-bit

  • Microsoft Windows Server 2012 R2 on Intel or equivalent, 64-bit

  • Microsoft Windows Server 2012 on Intel or equivalent, 64-bit

Supported Virtualization Products

  • VMware vSphere Hypervisor (ESXi)

Gateway Administrator Web Application

The Gateway Administrator provides a web-based application that you can run directly from the computer on which you have installed the Gateway Administrator service, or from any system with access to this computer. It is supported on the following web browsers. JavaScript and cookies must be enabled.

  • Microsoft Internet Explorer (version 11 or later, Windows only)

  • Mozilla Firefox (current versions)

  • Google Chrome (current versions)

  • Apple Safari (current versions, Mac only)

PKI Services Manager

If your client users will authenticate using X.509 certificates or Smart Cards, you need to install and configure Reflection PKI Services Manager, which is available at no additional charge from the Reflection Gateway download page.

  • Reflection PKI Services Manager version 1.3.2 or later

Installing Reflection Gateway

Before you install Reflection for Secure IT Gateway, review your configuration plan. For documentation on installing the product visit the Installing Reflection Gateway section of the Reflection for Secure IT Gateway Administrator’s Guide.

4.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

Copyright © 2018 Attachmate Corporation, a Micro Focus company. All rights reserved.

The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.

Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.