Environment
Verastream Host Integrator
Verastream Process Designer
Verastream Bridge Integrator
Verastream SDK for Unisys and Airlines version 5.0 or higher
Verastream Process Designer
Verastream Bridge Integrator
Verastream SDK for Unisys and Airlines version 5.0 or higher
Situation
This technical note describes security issues related to the Verastream
products listed in the Environment section. If you rely on the security
features of these products, you should consult this technical note on a
regular basis for any updated information regarding these features.
Resolution
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert |
glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547) |
| Date Posted |
February 2016 |
| Summary |
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used. |
| Product Status |
Verastream Host Integrator is subject
to this vulnerability when run on Red Hat Enterprise Linux and SUSE
Linux Enterprise Server platforms if the GNU C Library (glibc) installed
on the system is between versions 2.9 and 2.22 (inclusive). The
vulnerability is fixed in glibc version 2.23. For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547. For information on how to update your SUSE system, see https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html. |
| Additional Information |
For vulnerability details, see: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html |
| Alert |
Unsafe Object Deserialization Vulnerability |
| Date Posted |
December 2015 |
| Summary |
Apache Commons Collections (ACC)
library version 3.2.1 contains a vulnerability that allows a remote
attacker to execute arbitrary code on an unpatched machine that uses
JMX. |
| Product Status |
Verastream Host Integrator 7.7.34 and
earlier and Verastream Process Designer R6 or earlier include the
affected library version, and are vulnerable. To update ACC files in
your installation, see KB 7021301. Also, to mitigate this vulnerability, ensure that firewalls are configured to allow connections only from remote clients that specifically require such access. This includes JMX management and configuration ports 33000 and 33001 (for VHI; see also KB 7021229) and port 34000 (for VPD). |
| Additional Information |
For vulnerability details, see http://www.kb.cert.org/vuls/id/576313. This vulnerability continues to be a subject of research, so check back for further updates. |
| Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted |
July 2015 |
| Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status |
The following information applies to Verastream Host Integrator: SSH connections may be vulnerable, depending on the configuration of VHI and the SSH server. To avoid this vulnerability: * Disable the Group1 algorithm in your model (Connection > Session Setup > Advanced > Key Exchange Algorithms). * Verify your SSH server does not return a 1024-bit Group when 2048-bit Group Exchange is requested. TLS connections are subject to this vulnerability. TLS connections to Verastream offer 1024-bit DH groups, except connections to secure Web Services (port 9681) running on Windows, Linux, or Solaris offer 768-bit DH groups. TLS connections from Verastream (such as to the host) will use the DH group determined by the host configuration. To avoid this vulnerability: * Configure any (web services) clients to use TLS ciphers that use RSA or ECDH for key exchange. * Configure the TLS connections on your host to use a 2048-bit DH group. TLS connections are not vulnerable to the man-in-the-middle attacks, as DHE_EXPORT ciphers are not supported. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000. |
| Alert |
Apache Xerces-C Denial of Service Vulnerability (CVE-2015-0252) |
| Date Posted |
April 2015 |
| Summary |
Apache Xerces-C before 3.1.2 allows
remote attackers to cause a denial of service (segmentation fault and
crash) via crafted XML data. |
| Product Status |
The Verastream Host Integrator (VHI) C and COM connectors each have four methods that are possibly affected: - RecordSetFromXML - RecordSetToXML - RecordFromXML - RecordToXML Only the C and COM connector APIs are affected. Specifically, VHI web services are not affected. The four methods, as well as the vulnerable Xerces-C library, have been removed in VHI 7.7.30 (7.7 Hotfix 2), available to maintained customers from https://support.microfocus.com/downloads/. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0252. |
| Alert |
OpenSSL 19-Mar-2015 Security Release Vulnerabilities |
| Date Posted |
April 2015 |
| Summary |
On March 19, 2015, the OpenSSL
development team released new libraries that fix eleven reported
vulnerabilities. Some of these vulnerabilities might affect Verastream
Host Integrator (VHI). |
| Product Status |
The updated OpenSSL library is available for maintained customers in VHI 7.7.30 (7.7 Hotfix 2) from https://support.microfocus.com/downloads/. Note: Some of the issues reported were already fixed in an earlier release. |
| Additional Information |
For vulnerability details, see https://www.openssl.org/news/secadv_20150319.txt. |
| Alert |
Libssh2 vulnerability (CVE-2014-8730) |
| Date Posted |
April 2015 |
| Summary |
A libssh2 vulnerability can cause a denial of service (crash) in the Design Tool and Session Server when using SSH. |
| Product Status |
This issue affects Verastream Host Integrator 7.6.1025 (7.6 SP1) through 7.7.27. If your version of VHI is affected and you are a maintained customer, upgrade to VHI 7.7.30 (7.7 Hotfix 2) from https://support.microfocus.com/downloads/. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1782. For the libssh2 Security Advisory, see http://www.libssh2.org/adv_20150311.html. For a detailed libssh2 issue ticket, see https://trac.libssh2.org/ticket/294. |
| Alert |
SSL 3.0 'POODLE' Vulnerability (CVE-2014-3566) |
| Date Posted |
Modified February 2015 October 2014 |
| Summary |
A vulnerability in the SSL 3.0 protocol
that makes it easier for man-in-the-middle attackers to obtain clear
text data via a padding-oracle attack (“POODLE”). |
| Product Status |
- Verastream Host Integrator (VHI) 7.7 is not vulnerable. All use of SSL 3.0 is disabled by default. - Verastream Host Integrator (VHI) 7.6 SP1 or earlier: Session Server and Design Tool both contain SSL 3.0, but the resulting connections are not vulnerable to the attack unless connecting to a host that supports SSL 3.0 exclusively (not TLS). The VHI Web Services server (port 9681) also contains SSL 3.0. However, the connection is only vulnerable if you connect to it using a vulnerable browser. Typically, Web Services requests are made using Web Services clients, and these connections are not vulnerable. - Other VHI components do not use SSL 3.0 and are not vulnerable. - Verastream Process Designer (VPD) does not use SSL 3.0 and is not vulnerable. - Verastream Bridge Integrator (VBI) contains SSL 3.0, but connections to the server are not vulnerable. |
| Additional Information |
- In Verastream Host Integrator 7.6 SP1
or earlier, to disable SSL 3.0 in the Session Server and Design Tool,
consider enabling FIPS mode. See US FIPS 140-2 Validated Cryptography in
KB 7021314. - Before using a browser to make an HTTPS connection to the Verastream Host Integrator Web Services server, disable SSL 3.0 in your browser. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 |
| Alert |
Multiple Oracle Java Vulnerabilities Affecting Verastream Host Integrator |
| Summary |
Multiple security issues have been
addressed in the latest Oracle Java update. We recommend that you update
Verastream Host Integrator on systems running Development Kit or Server
Kit, and update Java on any client systems using the Java connector
API, or Java web applications generated by Web Builder. For more information on Java versions installed with VHI, see KB 7021532. |
| Date Posted and Version Affected |
January 2015 – Verastream Host Integrator 7.7 installs Java 7 Update 75 (JDK 1.7.0_75) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
June 2014 – Verastream Host Integrator 7.6 SP1 installs Java 7 Update 55 (JDK 1.7.0_55) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
December 2013 – Verastream Host Integrator 7.6 installs Java 7 Update 45 (JDK 1.7.0_45) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
June 2013 – Verastream Host Integrator 7.5 SP1 installs Java 7 Update 21 (JDK 1.7.0_21) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
December 2012 – Verastream Host Integrator 7.5 installs Java 7 Update 9 (JDK 1.7.0_09) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
March 2012
– Verastream Host Integrator 7.1 Service Pack 2 installs Java 6 Update
29 (JDK 1.6.0_29) on Windows, Solaris, and Linux platforms. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert |
TLS 1.x padding vulnerability (CVE-2014-8730) |
| Date Posted |
December 2014 |
| Summary |
Some TLS implementations omit to check
the padding structure after decryption. Such implementations are
vulnerable to the POODLE attack even with TLS. |
| Product Status |
Verastream Host Integrator (VHI) is not vulnerable to the attack. Verastream Process Designer (VPD) is not vulnerable. Verastream Bridge Integrator (VBI) is not vulnerable. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730 |
| Alert |
VPD Remote Code Execution Vulnerability CVE-2014-0607 |
| Date Posted |
July 2014 |
| Summary |
By sending a specially crafted request
to a web service, it is possible to upload an arbitrary file on the
target server, enabling the attacker to execute arbitrary code on the
server. |
| Product Status |
This issue affects all versions of Verastream Process Designer (VPD) version R6 SP1 or earlier. This issue is resolved beginning in Verastream Process Designer R6 SP1 Hotfix 1 (build 1010). Maintained customers can contact Attachmate Technical Support to obtain the hotfix. |
| CVSS Version 2.0 |
Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Additional Information |
Attachmate would like to thank Andrea
Micalizzi (rgod), working with HP's Zero Day Initiative, for the
discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0607 |
| Alert |
OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
| Date Posted |
June 2014 |
| Summary |
A vulnerability in OpenSSL could allow
an attacker with a man-in-the-middle vantage point on the network to
decrypt or modify traffic. |
| Product Status |
This issue affects all versions of Verastream Host Integrator version 7.6 or earlier. This issue is resolved beginning in Verastream Host Integrator 7.6 SP1 (version 7.6.1026). Maintained customers can download the latest version from the Attachmate Downloads site, https://download.attachmate.com/. |
| Additional Information |
For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
| Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted |
April 2014 |
| Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
| Product Status |
This issue affects Verastream Host
Integrator version 7.6. Earlier Verastream Host Integrator versions and
other Verastream products are not subject to this vulnerability. This issue is resolved beginning in Verastream Host Integrator 7.6 Hotfix 3 (version 7.6.49). Maintained customers can download the latest version from the Attachmate Downloads site, https://download.attachmate.com/. |
| Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 |
| Alert |
Multiple RSA BSAFE SSL-J Vulnerabilities Affect Verastream SDK for Unisys and Airlines |
| Summary |
Multiple security issues have been
addressed in RSA BSAFE SSL-J module 6.1.2. We recommend that you update
to the latest version of Verastream SDK for Unisys and Airlines. |
| Date Posted and Version Affected |
April 2014 – Verastream SDK for Unisys and Airlines 5.0 uses RSA BSAFE SSL-J module 6.1.2. |
| Additional Information |
For details, see the following web sites: http://www.securityfocus.com/archive/1/526913/100/900/threaded http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Date Posted |
March 2014 |
| Summary |
The ssl3_take_mac function allows remote TLS servers to cause a denial of service via a crafted TLS handshake (CVE-2013-4353). The ssl_get_algorithm2 function allows remote attackers to cause a denial of service attack via crafted traffic from a TLS 1.2 client (CVE-2013-6449). |
| Product Status |
These issues are resolved beginning in Verastream Host Integrator 7.6 Hotfix 2 (7.6.47). Download the latest version from Attachmate Downloads at https://download.attachmate.com. |
| Additional Information |
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 |
| Alert |
RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised |
| Date Posted |
Modified February 2014 January 2014 |
| Summary |
RSA strongly recommends that customers
discontinue use of the default Dual EC DRBG (deterministic random bit
generator) and move to a different DRBG. |
| Product Status |
This issue affects
Verastream Host Integrator 7.6, 7.5 SP1, 7.5, and 7.1 SP2; and
Verastream Process Designer R6 and R5 SP1. Verastream products on AIX
and z/Linux are not affected. |
| Additional Information |
If you wish to change the default
pseudo-random number generator (PRNG) used, you can add the following
line to the java.security file:com.rsa.crypto.default.random=HMACDRBG256This java.security file is found in the following directory: <installation folder>/java/jdk<version>/jre/lib/security. Note that the Java version is different depending on the version of the product you have installed. If you have more than one Verastream product installed, you may have to edit more than one file. For information on Java versions in Verastream, refer to #Java_Requirements. For more information about this alert, see http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf. |
| Alert |
Verastream Host Integrator Session Server Vulnerability CVE-2013-3626 |
| Date Posted |
Modified November 2013 September 2013 |
| Summary |
By sending a specially crafted message
to the Verastream Host Integrator Session Server, an unauthenticated
remote attacker can execute arbitrary code to gain control of the
server. |
| Product Status |
This issue is resolved
in Verastream Host Integrator 7.5 SP1 Hotfix 2 or higher (7.5.1038 or
higher) and in Verastream Host Integrator 7.1 SP2 Hotfix 7 (7.1.2043).
Maintained customers can obtain the latest version from Attachmate
Downloads at https://download.attachmate.com.. |
| Additional Information |
This vulnerability is posted at the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3626 CERT Coordination Center (CERT/CC) Vulnerability Note VU#436214: http://www.kb.cert.org/vuls/id/436214 |
| Alert |
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer |
| Summary |
Multiple security issues have been
addressed in the latest Oracle Java update. We recommend that you
upgrade Verastream Process Designer to the latest version. |
| Date Posted and Version Affected |
October 2013 – Verastream Process Designer R6 installs Java 7 Update 25 (JDK 1.7.0_25) on Windows, Solaris, and Linux platforms. |
| Date Posted and Version Affected |
May 2013 – Verastream Process Designer R5 SP1 installs Java 7 Update 15 (JDK 1.7.0_15) on Windows, Solaris, and Linux platforms. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert |
Vulnerability Summary for CVE-2013-1571 |
| Date Posted |
June 2013 |
| Summary |
Verastream Host Integrator and
Verastream Bridge Integrator contain API documentation in HTML format
that was created by Javadoc. Additionally, the Web Builder tool that is
part of Verastream Host Integrator will run Javadoc to generate API
documentation in HTML format for the some of the code that it generates. Javadoc HTML pages that were created by the Javadoc Tool that is included with Java 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, JavaFX 2.2.21 and earlier contain JavaScript code that fails to parse scheme relative URIs parameters correctly. An attacker can construct a URI that passes malicious parameters to the affected HTML page that causes one of the frames within the Javadoc-generated web page to be replaced with a malicious page. This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability. |
| Product Status |
Verastream Host Integrator 7.5 SP1 or
earlier and Verastream Bridge Integrator R5 SP1 or earlier contain Help
pages that are vulnerable. However, these pages are not served on a
public web server, but on a local server that listens on an arbitrary
(ephemeral) port, making it unlikely that the vulnerability can be exploited. If you wish to eliminate this vulnerability, you can run the "Java API Documentation Updater Tool" that is available as a separate download from Oracle. Note that in a typical installation, the tool will have to be run with elevated privileges to write into the installed files. The API documentation in HTML format that is created by Web Builder also contains the problematic JavaScript, but these files are not served on a web server and therefore are not vulnerable. Verastream Process Designer is not affected. |
| Additional Information |
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571 CERT Coordination Center (CERT/CC) Vulnerability Note VU#225657: http://www.kb.cert.org/vuls/id/225657 Oracle's Java API Documentation Updater Tool: http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html |
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Verastream products are not subject to this vulnerability,
however, to configure Verastream Host Integrator connections to use the
Reflection Security Proxy Server (using the Administrative WebStation
included in Reflection Administrator, Reflection Security Gateway, or
Reflection for the Web, sold separately from Verastream) your
browser must have a Java plug-in enabled. It is this JRE plug-in and
Java Web Start that can be exploited, not Attachmate products. To
minimize the risk described in this vulnerability, you should refer to
the latest information provided by Oracle and install a version of Java
that addresses this vulnerability. Note: Java used by the browser is a
separate installation from the private JDK installed with Verastream
Host Integrator; the private JDK is not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
Multiple Apache Tomcat Vulnerabilities |
| Date Posted |
December 2012 |
| Summary |
Multiple Tomcat security issues have been addressed in Verastream Host Integrator 7.5. |
| Product Status |
Verastream Host Integrator 7.5 has
resolved these security issues by no longer using Tomcat for the VHI Web
Server. (The VHI Web Server is used to run Java-based projects
generated by Web Builder.) Beginning in Verastream Host Integrator 7.5,
other technologies are used instead. |
| Additional Information |
For details about the vulnerabilities in Tomcat, see the Apache web site at http://tomcat.apache.org/security-5.html. |
| Alert |
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer |
| Date Posted |
October 2012 |
| Summary |
Multiple security issues have been addressed in Oracle Java 7 Update 3 or higher. |
| Product Status |
These issues are resolved in Verastream
Process Designer R5 on Windows, Solaris, and Linux platforms, which
installs Java 7 Update 4 (JDK 1.7.0_04). Verastream Process Designer R4
installed Java 6 Update 16, and R4+SP1 installed Java 6 Update 26. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert |
Vulnerability Summary for Verastream Denial of Service |
| Date Posted |
October 2011 |
| Summary |
A specially crafted network message can
cause a denial of service (server restart) in versions of the VHI
session server prior to 7.1 SP1. |
| Product Status |
The vulnerability has been fixed in Verastream Host Integrator 7.1 SP1. Other Verastream products are not subject to this vulnerability. |
| Additional Information |
Attachmate would like to thank Mark Goodwin and Bartosz Maciej of Citi UK for discovering and reporting the vulnerability. |
| Alert |
Vulnerability Summary for CVE-2010-3190 |
| Date Posted |
October 2011 |
| Summary |
Untrusted search path vulnerability in
the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio
.NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual
C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges
via a Trojan horse dwmapi.dll file in the current working directory
during execution of an MFC application such as AtlTraceTool8.exe (aka
ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC,
cur, rs, rct, or res file, aka "MFC Insecure Library Loading
Vulnerability." |
| Product Status |
In Verastream Host Integrator 7.1 SP1 and Verastream Process Designer R4 SP1,
the Microsoft Redistributable Library files for the untrusted search
path vulnerability have been updated. Other Verastream products are not
subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190. |
| Alert |
Multiple OpenSSL Vulnerabilities |
| Date Posted |
February 2011 |
| Summary |
Multiple OpenSSL vulnerabilities are described in the following: CVE-2010-4252, CVE-2010-4180, and CVE-2010-3864. |
| Product Status |
Attachmate Verastream products, and specifically Verastream Host Integrator, are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864 |
| Alert |
Vulnerability Summary for CVE-2010-1622 |
| Date Posted |
October 2010 |
| Summary |
SpringSource Spring Framework 2.5.x
before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3
allows remote attackers to execute arbitrary code via an HTTP request
containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted
.jar file. |
| Product Status |
Attachmate Verastream products, and specifically Verastream Process Designer, are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1622. |
| Alert |
US-CERT Technical Cyber Security Alert TA10-238A |
| Date Posted |
September 2010 |
| Summary |
Due to the way Microsoft Windows loads
dynamically linked libraries (DLLs), an application may load an
attacker-supplied DLL instead of the legitimate one, resulting in the
execution of arbitrary code. |
| Product Status |
Attachmate Verastream products are not subject to this vulnerability |
| Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html. |
| Alert |
OpenSSL cryptographic message syntax vulnerability CVE-2010-742 |
| Date Posted |
June 2010 |
| Summary |
The Cryptographic Message Syntax (CMS)
implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x
before 1.0.0a does not properly handle structures that contain
OriginatorInfo, which allows context-dependent attackers to modify
invalid memory locations or conduct double-free attacks, and possibly
execute arbitrary code, via unspecified vectors. |
| Product Status |
Attachmate Verastream products are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742. |
| Alert |
OpenSSL RSA verification recovery vulnerability CVE-2010-1633 |
| Date Posted |
June 2010 |
| Summary |
RSA verification recovery in the
EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used
by pkeyutl and possibly other applications, returns uninitialized memory
upon failure, which might allow context-dependent attackers to bypass
intended key requirements or obtain sensitive information via
unspecified vectors. |
| Product Status |
Attachmate Verastream products are not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633. |
| Alert |
US-CERT Technical Cyber Security Alert TA09-209A |
| Date Posted |
28-July-2009 |
| Summary |
Vulnerabilities present in the
Microsoft Active Template Library (ATL) can cause vulnerabilities in the
resulting ActiveX controls and COM components, as described in
Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory
973882. Any ActiveX control or COM component that was created with a
vulnerable version of the ATL may be vulnerable. |
| Product Status |
Verastream Transaction Integrator (VTI)
version 4.0 includes the vulnerable Microsoft ATL redistribution.
However, as VTI does not use ATL in an ActiveX control, nor is it
scriptable, the risk is significantly lessened. To remove the
possibility of third-party controls or scripts using the vulnerable ATL,
incorporation of the non-vulnerable ATL is planned for the next release
of VTI. |
| Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
| Alert |
iDefense Advisory 11.15.05 |
| Date Posted |
January 2007 |
| Product Status |
For information on this security vulnerability in Verastream Integration Broker version 9.9 or earlier, see Technical Note 10070. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Status
Security AlertAdditional Information
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and Verastream
Verastream products use Java in the following ways:
- Host Integrator – The Session Server, Management Server, Web Server, Log Manager, and Administrative Console all use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.
- Bridge Integrator – The Bridge Designer, Transaction Studio, Requestor Clients, and Trace Player all use the shared Java JDK installed by you, and JDK updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
- Process Designer – The Process Server and Process Design Studio use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.
Note: For Verastream products run on AIX and Linux on System z, Verastream uses the Java version that is on the system, and Java updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
For more information about Java and Attachmate products, see KB 7021973.
Legacy KB ID
This document was originally published as Attachmate Technical Note 2700.