Highlights include the following product enhancements:
The SRC software runs as VMs and runs on C Series Controllers—a range of hardware platforms. The SRC 4.12.0 software contains the features found in the SRC 4.11.0 release plus the features listed in this section. The SRC 4.12.0 software may contain references to the service activation engine (SAE) Release version 7.17.0. SRC 4.12.0 software does not run on the discontinued C2000 and C4000 controllers because of hardware incompatibility.
Security Vulnerabilities Addressed in SRC 4.12.0 Release
The following changes related to security vulnerabilities have been made in SRC 4.12.0 release. For more information about the individual CVEs, see http://web.nvd.nist.gov/view/vuln/search.
TLSv1.1 and TLSv1.2 version supports have been added.
SSLv2 version support has been disabled.
Vulnerable weak ciphers (NULL, EXPORT, DES, RC4, 3DES, MD5, PSK, and IDEA) have been disabled.
The following CVEs have been fixed:
CVE-2016-2183: TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32) (ssl-cve-2016-2183-sweet32)
CVE-2013-2566: TLS/SSL Server supports RC4 Cipher Algorithms (CVE-2013-2566) (rc4-cve-2013-2566)
CVE-2011-3389: TLS/SSL Server enables the BEAST attack (ssl-cve-2011-3389-beast)
CVE-2014-3566: TLS/SSL Server enables the POODLE attack (sslv3-cve-2014-3566-poodle)
CVE-2015-4000: TLS Server supports DHE_EXPORT Cipher Algorithms (tls-dhe-export-ciphers-cve-2015-4000)
SSH version 1 has been disabled, and CVE-2001-1473 has been fixed.
New CLI options have been added to configure restricted access to NTP server based on IP address or mask.
The following CVEs have been fixed:
Traffic amplification in listpeers feature of ntpd (ntp-r7-2014-12-listpeers-drdos)
Traffic amplification in peers feature of ntpd (ntp-r7-2014-12-peers-drdos)
Traffic amplification in reslist feature of ntpd (ntp-r7-2014-12-reslist-drdos)
Traffic amplification in clrtrap feature of ntpd (ntp-r7-2014-12-unsettrap-drdos)
Clock variables information disclosure (ntp-clock-variables-disclosure)
Apache Axis and Bouncy Castle
CVE-2012-5784, CVE-2014-3596, and CVE-2007-6721 have been fixed.
ClickJacking vulnerability has been fixed.
Auto complete for sensitive HTML form fields have been disabled.
Jetty has been upgraded from 4.2.24 to 9.2.25.
TLSv1.2 version support has been added, and older versions SSLv2, SSLv3, TLSv1, and TLSv1.1 have been disabled.
Vulnerable weak ciphers (NULL, EXPORT, DES, RC4, 3DES, MD5, PSK, IDEA, and CAMELLIA) have been disabled.
CVE-2005-3747, CVE-2009-1524, and CVE-2011-4461 have been fixed.
Application Server (JBoss)
New CLI options have been added for configuring the TLS Protocol versions TLSv1.0, TLSv1.1, and TLSv1.2.
Vulnerable weak ciphers (NULL, EXPORT, DES, RC4, 3DES, MD5, PSK, IDEA, and CAMELLIA) have been disabled for TLSv1.2.
License Server Enhancements
In SRC 4.11.0 and earlier releases, if licenses are allotted to a router driver and if the router driver becomes inactive, the allocated licenses will not be released to other router drivers. This causing failure in allocating licenses for other virtual routers due to exhaustion of licenses. A new CLI command request sae license remove-allocated virtual-router virtual-router-name has been introduced in SRC 4.12.0 release to remove licenses for an inactive router driver. This command is applicable only for the inactive router drivers and virtual routers managed by the same SAE.
Enhancements on Gx Router Driver State Changes
The GX router driver is enhanced to synchronize and handle router driver state transitions and connection state messages (events) from the router.
Diameter Graph Enhancement
The C-Web interface is enhanced to add graphs for statistics values of Diameter component. The following Diameter statistics are added in the C-Web interface for better monitoring purposes:
AAR Received Requests
ACR Received Requests
CCR Received Requests
Average Received Request Processing Time
Average Sent Request Processing Time
Device Filter Key Support for SAE Info Log
The SRC software provides device filter key support for SAE info log. This support enables you to configure filters based on the router name, interface name, or login name for SAE info logs.
SAE Heap Parameter Enhancements
In the slot number sae command, the java-min-heap-size-percentage, java-heap-size-percentage, java-min-new-size-percentage, and java-new-size-percentage options are newly added. These options enable you to configure SAE heap parameters based on the percentage of total memory.
The existing options java-min-heap-size, java-heap-size, java-min-new-size, and java-new-size are made read-only and are automatically configured based on the percentage values set to the corresponding new options. By doing so, whenever you increase or decrease the total memory, the existing SAE heap parameters are automatically configured without any manual intervention.
In the shared sae group group-name configuration driver session-store command, the min-legal-time and max-legal-time options are newly added for configuring minimum legal time and maximum legal time for session store during replication from master to slave. To configure the min-legal-time and max-legal-time options, you must set the editing level to expert.
Removal of JPS from SRC Software
The JPS component has been removed from the SRC software.