Environment
Host Access Management and Security Server version 12.2 or higher
Reflection for the Web (All Editions) version 12.2 or higher
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection Security Gateway 2014
Reflection for the Web (All Editions) version 12.2 or higher
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection Security Gateway 2014
Situation
This technical note describes security issues related to Host Access
Management and Security Server (MSS), Reflection for the Web, and
Reflection Security Gateway. If you rely on the security features of
these products, you should consult this technical note on a regular
basis for any updated information regarding these features.
Resolution
Java and Management and Security Server, Reflection for the Web, or Reflection Security Gateway
For Reflection for the Web, the terminal emulation and file transfer components are typically deployed as applets in a web browser, and require a Java browser plug-in. Two applets, the Login applet and Links List applet, are used to authenticate users and deploy sessions to authorized users.
The terminal emulation and file transfer components can optionally be deployed as desktop applications rather than as applets. This feature is optional and requires customization.
The terminal emulation and file transfer components can optionally be deployed using Java Web Start (JNLP).
The Administrative Server, Security Proxy Server, Metering Server, and Terminal ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.
For Management and Security Server or Reflection Security Gateway, two applets—the Login applet and Links List applet—are used to authenticate users and deploy sessions to authorized users.
The Administrative Server, Security Proxy Server, Metering Server and Terminal ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.
For more information about Java and Attachmate Products, see KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert |
Management and Security Server (CVE-2016-5765) |
| Date Posted |
November 2016 |
| Summary |
Administrative Server in Micro Focus
Host Access Management and Security Server (MSS) and Reflection for the
Web (RWeb) and Reflection Security Gateway (RGS) and Reflection ZFE
(ZFE) allows remote unauthenticated attackers to read arbitrary files
via a specially crafted URL that allows limited directory traversal. |
| Product Status |
The following product versions fix the
vulnerability: Host Access Management and Security Server 12.4.042; Host
Access Management and Security Server 12.3 build 326 and Reflection for
the Web 12.3 build 312; Host Access Management and Security Server 12.2
build 342 and Reflection for the Web 12.2 build 342; Reflection for the
Web 2014 R2 (12.1 build 362) and Reflection Security Gateway 2014 R2
(12.1 build 362); Reflection ZFE 2.0.1.18, 2.0.0.52 and 1.4.0.14. |
| Additional Information |
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5765 The attacker’s ability to read files is limited by the Administrative Server’s enforcement of a restriction on the length of some input data. An upgrade that fixes this vulnerability is available to maintained customers through the downloads website, https://download.attachmate.com/upgrades Customers are encouraged to upgrade immediately. In addition to upgrading, maintained customers should contact Technical Support for recommended steps to further secure your system. Maintained customers may access additional information in technical note 2888. Non-maintained customers should contact Micro Focus for more information. The upgrade also adds support for a stronger algorithm (PBKDF2 with SHA256) to protect certain passwords. This vulnerability was discovered by rgod working with Trend Micro's Zero Day Initiative. http://zerodayinitiative.com/ |
| Alert |
Apache Shiro (CVE-2016-6802) |
| Date Posted |
November 2016 |
| Summary |
Apache Shiro before 1.3.2 allows
attackers to bypass intended servlet filters and gain access by
leveraging use of a non-root servlet context path. |
| Product Status |
Apache Shiro 1.3.2 is included in Host
Access Management and Security Server 12.4.042; Host Access Management
and Security Server (MSS) 12.3.326, Reflection for the Web (RWeb)
12.3.312, Reflection ZFE (ZFE) 2.0.1.18 and Reflection ZFE 2.0.0.52. MSS and RWeb versions earlier than 12.3.x are not affected. ZFE versions earlier than 2.0.0.x are not affected. |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6802 |
| Alert |
Apache Derby (CVE-2015-1832) |
| Date Posted |
November 2016 |
| Summary |
XML external entity (XXE) vulnerability
in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java
Security Manager is not in place, allows context-dependent attackers to
read arbitrary files or cause a denial of service (resource consumption)
via vectors involving XmlVTI and the XML datatype. |
| Product Status |
Apache Derby 10.12.1.1 is included in
Host Access Management and Security Server 12.4.042; Host Access
Management and Security Server 12.3.326 and Reflection for the Web 12.3
build 312; Host Access Management and Security Server 12.2 build 342 and
Reflection for the Web 12.2 build 342; Reflection for the Web 2014 R2
(12.1 build 362) and Reflection Security Gateway 2014 R2 (12.1 build
362); Reflection ZFE 2.0.1.18, 2.0.0.52 and 1.4.0.14. |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6802 |
| Alert |
Multiple Oracle Java Vulnerabilities |
| Summary |
Multiple security issues have been
addressed in the latest Oracle Java update. We recommend that you keep
current with Java releases. |
| Date Posted and Version Affected |
November 2016 –
The following builds include Java 8 Update 111: Host Access Management
and Security Server 12.4.042; Host Access Management and Security Server
12.3.326 and Reflection for the Web 12.3.312; Host Access Management
and Security Server 12.2.342 and Reflection for the Web 12.2.342;
Reflection for the Web 2014 R2 (12.1.362) and Reflection Security
Gateway 2014 R2 (12.1.362), Reflection ZFE 2.0.1.18, 2.0.0.52 and
1.4.0.14. Information from Oracle about the security content of Java 8
Update 111 is here: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA |
| Date Posted and Version Affected |
August 2016
– Host Access Management and Security Server 12.3 build 306 and
Reflection for the Web 12.3 build 303; Host Access Management and
Security Server 12.2 build 334 and Reflection for the Web 12.2 build
334; Reflection for the Web 2014 R2 (12.1) build 350 and Reflection
Security Gateway 2014 R2 (12.1) build 350. All install Java 8 Update
101. |
| Date Posted and Version Affected |
May 2016
– Host Access Management and Security Server 12.2 build 326 and
Reflection for the Web 12.2 build 326; Reflection for the Web 2014 R2
(12.1) build 343 and Reflection Security Gateway 2014 R2 (12.1) build
343. All install Java 8 Update 91. |
| Date Posted and Version Affected |
February 2016
– Host Access Management and Security Server 12.2 build 313 and
Reflection for the Web 12.2 build 313; Reflection for the Web 2014 R2
(12.1) build 343 and Reflection Security Gateway 2014 R2 (12.1) build
343. All install Java 8 Update 71. |
| Date Posted and Version Affected |
November 2015 – Reflection for the Web 2014 R2 (12.1) build 329 and Reflection Security Gateway 2014 R2 (12.1). Install Java 8 Update 65. |
| Date Posted and Version Affected |
October 2015
– Host Access Management and Security Server 12.2 build 302 and
Reflection for the Web 12.2 build 302 install Java 8 Update 51. |
| Date Posted and Version Affected |
October 2013 – Reflection for the Web 2014 and Reflection Security Gateway 2014 install Java 7 Update 25. |
| Date Posted and Version Affected |
March 2013 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 24 Build 584 installs Java 7 Update 15. |
| Date Posted and Version Affected |
February 2013 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 23 Build 581 installs Java 6 Update 39. |
| Date Posted and Version Affected |
September 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 16 Build 562 installs Java 6 Update 35. |
| Date Posted and Version Affected |
June 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 13 Build 549 installs Java 6 Update 33. |
| Date Posted and Version Affected |
March 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 9 Build 540 installs Java 6 Update 31. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle, see the Oracle web site. Java 8 updates: http://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html Java 7 updates: http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html Java 6 updates: http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html |
| Alert |
Multiple Apache Tomcat Vulnerabilities |
| Summary |
Multiple Tomcat security issues have been addressed in the latest Tomcat release. |
| Date Posted and Version Affected |
August 2016 –
Host Access Management and Security Server 12.3 build 306 and
Reflection for the Web 12.3 build 303 – both install Tomcat 8.0.36. |
| Date Posted and Version Affected |
April 2016 - Host
Access Management and Security Server 12.2 build 323 and Reflection for
the Web 12.2 build 323; Reflection for the Web 2014 R2 (12.1) build 323
and Reflection Security Gateway 2014 R2 (12.1) build 323. Both
install Tomcat 6.0.45. |
| Date Posted and Version Affected |
October 2015 – Host Access Management and Security Server 12.2 build 302 and Reflection for the Web 12.2 build 302 install Tomcat 6.0.44. |
| Date Posted and Version Affected |
October 2013 – Reflection for the Web 2014 and Reflection Security Gateway 2014 install Tomcat 6.0.36. Note that the security issues fixed in Tomcat 6.0.37 do not apply to Reflection for the Web 2014 and Reflection Security Gateway 2014. |
| Date Posted and Version Affected |
February 2012 – Reflection for the Web 2011 R1 SP1 and Reflection Security Gateway 2011 R1 SP1 install Tomcat 6.0.35. |
| Date Posted and Version Affected |
June 2011 – Reflection for the Web 2011 R1 and Reflection Security Gateway 2011 R1 install Tomcat 6.0.32. |
| Additional Information |
For details about the vulnerabilities in Tomcat, see the Apache web site at http://tomcat.apache.org/security-6.html. |
| Alert |
Apache Struts (CVE-2016-1181) |
| Date Posted |
July 2016 |
| Summary |
ActionServlet.java in Apache Struts 1
1.x through 1.3.10 mishandles multithreaded access to an ActionForm
instance, which allows remote attackers to execute arbitrary code or
cause a denial of service (unexpected memory access) via a multipart
request, a related issue to CVE-2015-0899. |
| Product Status |
Reflection for the Web, Reflection Security Gateway and Host Access Management and Security Server are not affected by this issue. |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181 |
| Alert |
Apache Struts (CVE-2015-0899) |
| Date Posted |
July 2016 |
| Summary |
The MultiPageValidator implementation
in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass
intended access restrictions via a modified page parameter. |
| Product Status |
Reflection for the Web, Reflection Security Gateway and Host Access Management and Security Server are not affected by this issue. |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899 |
| Alert |
Apache Struts (CVE-2016-1182) |
| Date Posted |
July 2016 |
| Summary |
ActionServlet.java in Apache Struts 1
1.x through 1.3.10 does not properly restrict the Validator
configuration, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or cause a denial of service via crafted input, a
related issue to CVE-2015-0899. |
| Product Status |
Reflection for the Web, Reflection Security Gateway and Host Access Management and Security Server are not affected by this issue. |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182 |
| Update |
RSA BSAFE Crypto-J JSAFE and JCE Module |
| Date Available |
March 2016 |
| Summary |
FIPS validation issues have been
addressed in a hotfix. RSA BSAFE Crypto-J JSAFE and JCE software module
version 6.2.1 has been validated by the National Institute of Standards
and Technology (NIST). |
| Product Status |
Management and Security Server and
Reflection for the Web: This issue has been resolved in versions
12.2.319 and 12.1.337. Contact Technical Support to obtain a hotfix. |
| Additional Information |
For details, see KB 7021285. |
| Alert |
Apache Commons Fileupload (CVE-2016-3092) |
| Date Posted |
March 2016 |
| Summary |
MultipartStream class in Apache Commons
Fileupload allows remote attackers to cause a denial of service (CPU
consumption) via a long boundary string. |
| Product Status |
This affects Host Access Management and
Security Server 12.3 build 113 and Reflection for the Web 12.3 build
110. 12.3 Initially shipping in July 2016. Upgraded Apache Commons Fileupload and Apache Tomcat in August 2016. Host Access Management and Security Server 12.3 build 306 and Reflection for the Web 12.3 build 303 |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092 |
| Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted |
October 2015 |
| Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status |
Reflection for the Web 2014 and
Reflection Security Gateway 2014: This issue is addressed in version
12.1[.nnn].318 and higher. Maintained customers can obtain the latest
release from the Downloads website. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
| Alert |
SSL 3.0 'POODLE' Vulnerability (CVE-2014-3566) |
| Date Posted |
February 2015 – Modified October 2014 |
| Summary |
A vulnerability in the SSL 3.0 protocol
that makes it easier for man-in-the-middle attackers to obtain clear
text data via a padding-oracle attack (“POODLE”). |
| Product Status |
This issue is resolved in a hotfix in version 12.0.548 and higher. To obtain this hotfix, contact Attachmate Technical Support. |
| Additional Information |
For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 |
| Alert |
RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised |
| Date Posted |
December 2014 |
| Summary |
RSA strongly recommends that customers
discontinue use of the default Dual EC DRBG (deterministic random bit
generator) and move to a different DRBG. |
| Product Status |
This issue is resolved in a hotfix in version 12.0.519 and higher. To obtain this hotfix, contact Attachmate Technical Support. |
| Additional Information |
For details, see http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf. |
| Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted |
April 2014 |
| Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
| Product Status |
Reflection for the Web and Reflection Security Gateway are not affected by this issue. |
| Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
| Alert |
Apache Commons Fileupload (CVE-2014-0114) |
| Date Posted |
December 2013 |
| Summary |
Apache Commons BeanUtils, as
distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x
through 1.3.10 and in other products requiring commons-beanutils through
1.9.2, does not suppress the class property, which allows remote
attackers to "manipulate" the ClassLoader and execute arbitrary code via
the class parameter, as demonstrated by the passing of this parameter
to the getClass method of the ActionForm object in Struts 1. |
| Product Status |
This issue is resolved in a hotfix in version 12.0.320 and higher |
| Additional Information |
For vulnerability details, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 |
| Alert |
Vulnerability Summary for CVE-2013-1571 |
| Date Posted |
October 2013 |
| Summary |
Javadoc HTML pages that were created by
the Javadoc Tool included with Java 7 Update 21 and earlier, 6 Update
45 and earlier, 5.0 Update 45 and earlier, JavaFX 2.2.21 and earlier
contain a frame injection vulnerability that could allow an attacker to
replace a Javadoc web page frame with a malicious page. |
| Product Status |
To mitigate the vulnerability you can: - Configure the Reflection server to use https only (prohibiting http connections). - Install the ECL API docs locally, rather than serving them from a web server. |
| Additional Information |
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571 CERT Coordination Center (CERT/CC) Vulnerability Note VU#225657: http://www.kb.cert.org/vuls/id/225657 Oracle's Java API Documentation Updater Tool: http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html |
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Reflection for the Web is not subject to this vulnerability,
however user and administrator web pages must be accessed from a
browser with the Java plug-in enabled. Also, if you've configured the
non-default option of having sessions start using Java Web Start (JNLP),
user browsers must have JNLP enabled to launch these sessions. It
is the Java plug-in and Web Start that can be exploited, not Reflection
for the Web. To minimize the risk described in this vulnerability on
these systems, you should refer to the latest information provided by
Oracle and install a version of Java that addresses this vulnerability. If you have upgraded to Java 7 Update 11, see Technical Note 2655 for information about the prompt, "Do you want to run this application?" |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
Apache Struts (CVE-2012-1007) |
| Date Posted |
Feb 2012 |
| Summary |
Multiple cross-site scripting (XSS)
vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject
arbitrary web script or HTML via (1) the name parameter to
struts-examples/upload/upload-submit.do, or the message parameter to (2)
struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.
|
| Product Status |
Reflection for the Web, Reflection Security Gateway and Host Access Management and Security Server are not affected by this issue. |
| Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007 |
| Alert |
Multiple Oracle JRE Vulnerabilities |
| Summary |
Multiple security issues have been
addressed in the latest Oracle Java Update. Users running Reflection for
the Web clients use the Java Runtime Environment and browser plug-in
that is installed on their machine. To resolve the issues addressed by
this Oracle Java security update, you should update the JRE on user
machines to Java 6 Update 29 or higher |
| Date Posted and Version Affected |
December 2011
– JRE vulnerabilities have been addressed in Reflection for the Web
2011 R1 Build 11.0[.nnn].527, installing Java Update 29; we recommend
that you upgrade to Reflection for the Web 2011 R1 SP1 or higher. |
| Date Posted and Version Affected |
December 2011
– JRE vulnerabilities have been addressed in Reflection for the Web
2011 R1 Build 11.0[.nnn].500, installing Java Update 26; we recommend
that you upgrade to Reflection for the Web 2011 R1 SP1 or higher. JRE vulnerabilities have been addressed in Reflection for the Web 2008 R3 Build 10.2[.nnn].527, updating the version of Java included in the automated installers to Java 6 Update 26; we recommend that you upgrade to Reflection for the Web 2011 R1 SP1 or higher.. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert |
Floating Point Number Vulnerability CVE-2010-4476 |
| Date Posted |
November 2011 |
| Summary |
Oracle Security Alert: "This Security
Alert addresses security issue CVE-2010-4476 (Java Runtime Environment
hangs when converting "2.2250738585072012e-308" to a binary
floating-point number), which is a vulnerability in the Java Runtime
Environment component of the Oracle Java SE and Java for Business
products. This vulnerability allows unauthenticated network attacks
(that is, it may be exploited over a network without the need for a
username and password). Successful attack of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete Denial of Service) of the Java Runtime Environment. Java
based application and web servers are especially at risk from this
vulnerability." |
| Product Status |
Reflection for the Web 2008 R3
(10.2[.nnn].526 or earlier Reflection for the Web 2008 versions)
includes a Java version that is vulnerable to this issue. To resolve the issue,
upgrade to Reflection for the Web 2008 R3 Build 527 (10.2[.nnn].527 or
higher) or Reflection for the Web 2011. If you installed Reflection for
the Web manually, then you should upgrade the Java version to 6 Update
24 or higher. Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine. To resolve the issue, users must update the JRE on their machine to Java 6 Update 24 or higher. |
| Additional Information |
For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476. |
| Alert |
Cross-site Scripting Vulnerability |
| Date Posted |
October 2010 |
| Summary |
Certain versions of Reflection for the
Web (Reflection for the Web 2008 version R2 (builds 10.1[.nnn].569 and
earlier), Reflection for the Web 2008 R1, Reflection for the Web 9.6 and
earlier) have a non-persistent cross-site scripting vulnerability,
whereby malformed input can be reflected back to the user and executed
as script within the user’s web browser and within the security context
of the user. The attacker would need to induce the user to voluntarily
interact with the attack mechanism. The potential impact would depend on
the configuration of the victim’s browser and system. |
| Product Status |
Reflection for the Web 2008 R2 (builds 10.1[.nnn].570 or higher) or higher versions are not affected. Reflection for the Web 2008 version R2 (builds 10.1[.nnn],569 and earlier), Reflection for the Web 2008 R1, and Reflection for the Web 9.6 and earlier are affected. To determine which version of Reflection for the Web you are running, log in to the Administrative WebStation, click Resources, and then click About Reflection for the Web. We recommend upgrading to the current version. |
| Alert |
Vulnerability Advisory CPNI-957037 |
| Date Posted |
October 2010 - Modified October 2008 |
| Summary |
A design flaw in the SSH protocol use
of block ciphers in cipher block chaining mode could allow an attacker
to recover up to four bytes of plaintext. Although the severity of the
attack is considered high, the likelihood of a successful attack is
considered low and results in terminating the user’s SSH connection. |
| Product Status |
Beginning in Reflection for the Web 2008 R3,
counter mode cipher support is available. For more information about
how this vulnerability affects Attachmate products, see KB 7022040. |
| Additional Information |
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563. |
| Alert |
US-CERT Vulnerability Note VU #845620 |
| Date Posted |
September 5, 2006 |
| Summary |
Multiple RSA implementations fail to properly handle signatures. |
| Product Status |
Attachmate has determined that the
usage of the RSA digital signature algorithm in Reflection for the Web
is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert |
US-CERT Vulnerability Note VU#680620 |
| Date Posted |
July 14, 2005 |
| Summary |
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
| Product Status |
Reflection for the Web does not use zlib and is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
| Alert |
Multiple iDEFENSE Security Advisories/US-CERT Vulnerability Note VU#800829 |
| Date Posted |
July 7, 2005 |
| Summary |
Multiple vendor telnet client information disclosure vulnerabilities. |
| Product Status |
Reflection for the Web Telnet clients are not vulnerable
to these issues as they return limited terminal information in response
to the NEW_ENVIRONMENT command and use dynamically-sized buffering. |
| Additional Information |
For details about these vulnerabilities, see the iDefense or US-Cert articles listed below. iDefense: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities US-CERT: http://www.kb.cert.org/vuls/id/800829 |
| Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary |
Three Chinese cryptanalysts from
Shandong University have recently documented a successful cryptanalytic
attack on the SHA-1 algorithm. |
| Product Status |
Reflection products primarily use SHA-1
to create HMACs (Keyed Hashing for Message Authentication), for
verification of message integrity. According to Schneier, because hash
collisions are not a prominent concern, this use of SHA-1 is not
affected by the cryptanalytic attack. (For further details, read the
blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional Information |
Bruce Schneier, the author of "Applied
Cryptography," discusses this announcement on his blog, Schneier on
Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
| Alert |
CERT Advisory CA-2003-26 |
| Summary |
Multiple Vulnerabilities in SSL/TLS Implementations. |
| Product Status |
Attachmate has inspected Reflection for
the Web and determined that it is not vulnerable to the issues
addressed in this alert. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2003-26.html. |
| Alert |
CERT Advisory CA-2002-36 |
| Summary |
Vulnerabilities in SSH2 Implementations from Multiple Vendors. |
| Product Status |
Attachmate has tested Reflection for
the Web with the provided test suite and found that it is not vulnerable
to the SSH2 connection initialization, key exchange, and negotiation
phase attacks. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2002-36.html. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Status
Security AlertAdditional Information
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Legacy KB ID
This document was originally published as Attachmate Technical Note 1704