Environment
Reflection Desktop Pro
Reflection Desktop for X
Reflection Desktop for IBM
Reflection Desktop for UNIX and OpenVMS
Reflection Desktop for NonStop Add-On
Reflection 2014
Reflection Pro 2014
Reflection X 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection for NonStop 2014 Add-On
Reflection Standard Suite 2011
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Situation
This technical note describes security issues related to the Reflection products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
Resolution
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and Reflection 2014 or 2011
The Reflection Workspace and Reflection FTP Client do not use Java.
If you have also purchased Reflection Security Gateway or Reflection for the Web and use the Administrative WebStation to deploy Reflection sessions, a browser with a Java plug-in is required to launch those sessions.
Some Reflection 2014 and 2011 products include the Reflection X Advantage component described separately in KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
Alert |
OpenSSL Montgomery Squaring Procedure Security Vulnerability (CVE-2017-3732) |
Date Posted |
January 2017 |
Summary |
Certain OpenSSL versions have a bug in the Montgomery squaring procedure. |
Product Status |
This issue affects Reflection Desktop
16.0 version 16.0.390 and earlier (identified as version 16.0.390.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 16.0.399.0 and higher. Update to Reflection Desktop version 16.1 (16.1.124.0) or higher. Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://www.openssl.org/news/secadv/20170126.txt |
Alert |
OpenSSL OOB read Security Vulnerability (CVE-2017-3731) |
Date Posted |
January 2017 |
Summary |
Certain OpenSSL versions: If an
SSL/TLS client is running on a 32-bit host, and a specific cipher is
being used, then a truncated packet can cause a crash. |
Product Status |
This issue affects Reflection Desktop
16.0 version 16.0.390 and earlier (identified as version 16.0.390.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 16.0.399.0 and higher. Update to Reflection Desktop version 16.1 (16.1.124.0) or higher. Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://www.openssl.org/news/secadv/20170126.txt |
Alert |
OpenSSL Bad DHE Parameters Security Vulnerability (CVE-2017-3730) |
Date Posted |
January 2017 |
Summary |
Certain OpenSSL versions could allow bad parameters which could cause a crash to be exploited in a denial of service. |
Product Status |
Reflection products do not have this vulnerability. |
Additional Information |
For vulnerability details, see the OpenSSL Security Advisory Information: https://www.openssl.org/news/secadv/20170126.txt |
Alert |
OpenSSL Montgomery Multiplication Security Vulnerability (CVE-2016-7055) |
Date Posted |
November 2016 |
Summary |
There is a carry propagating bug in the
Broadwell-specific Montgomery multiplication procedure that handles
input lengths divisible by, but longer than 256 bits. |
Product Status |
This issue affects Reflection Desktop
16.0 version 16.0.390 and earlier (identified as version 16.0.390.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 16.0.399.0 and higher. Update to Reflection Desktop version 16.1 (16.1.124.0) or higher. Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://www.openssl.org/news/secadv/20161110.txt |
Alert |
OpenSSL ASN.1 Encoder Security Vulnerability (CVE-2016-2108) |
Date Posted |
May 2016 |
Summary |
Certain OpenSSL versions can
misinterpret a large universal tag as a negative zero value that may be
able to trigger an out-of-bounds write. |
Product Status |
This issue affects Reflection Desktop
16.0 version 16.0.280 and earlier (identified as version 16.0.280.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 16.0.301.0 and higher. Update to Reflection Desktop version 16.0 SP1 (16.0.308.0) or Reflection Desktop version 16.1 (16.1.124.0). Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2108 |
Alert |
OpenSSL Null Pointer Dereference Vulnerability (CVE-2015-0289) |
Date Posted |
September 2015 |
Summary |
Certain OpenSSL versions allow attackers to cause a denial of service (crash) by providing malformed PKCS#7 data. |
Product Status |
This issue affects Reflection 2014
version 15.6.1.797 and earlier (identified as version 15.6.797.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 15.6.1.808 (15.6.808.0) and higher. Update to R1 Service Pack 1 Update 1 (15.6.1.812 or 15.6.812.0) or higher. Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289 |
Alert |
OpenSSL Buffer Overflow Vulnerability (CVE-2015-0292) |
Date Posted |
September 2015 |
Summary |
Certain OpenSSL versions allow remote
attackers to cause a denial of service (memory corruption) or possibly
other impact by using crafted base64 data that triggers a buffer
overflow. |
Product Status |
This issue affects Reflection 2014
version 15.6.1.797 and earlier (identified as version 15.6.797.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 15.6.1.808 (15.6.808.0) and higher. Update to R1 Service Pack 1 Update 1 (15.6.1.812 or 15.6.812.0) or higher. Maintained customers can obtain the latest update on the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292 |
Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
Date Posted |
September 2015 |
Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
Product Status |
This issue affects Reflection 2014
version 15.6.1.797 and earlier (identified as version 15.6.797.0 or
earlier in Reflection Workspace > Help > About, or Control Panel
> Programs). This issue is addressed in version 15.6.1.808 (15.6.808.0) and higher. Update to R1 Service Pack 1 Update 1 (15.6.1.812 or 15.6.812.0) or higher. Maintained customers can obtain the latest update on the Downloads website. Export-grade ciphers are not supported with default encryption strength, and DH Group Exchange is requested with the highest preference. However, to avoid this vulnerability: * Disable diffie-hellman-group1-sha1 in Key Exchange Algorithms. * Verify your SSH server does not return a weak DH Group when Group Exchange is requested. |
Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
Alert |
OpenSSL Client RSA Silent Downgrade Vulnerability (CVE-2015-0204) |
Date Posted |
June 2015, Updated September 2015 |
Summary |
Certain OpenSSL client versions accept
the use of a weak temporary export-grade key in a non-export RSA
ciphersuite key exchange, thus enabling RSA-to-EXPORT_RSA downgrade
attacks. The weakened encryption facilitates brute-force decryption
("FREAK" attack). |
Product Status |
This issue affects Reflection 2014
versions 15.6.1.761 and earlier (identified as version 15.6.761.0 or
earlier in Help > About, or Control Panel > Programs). This issue is resolved in versions 15.6.1.765 and higher (identified as version 15.6.765.0 or higher after installation). Update to Reflection 2014 R1 SP1 Update 1 or higher. Maintained customers can obtain the latest update from the Downloads website. |
Additional Information |
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 |
Alert |
Stack Buffer Overflow Remote Code Execution Vulnerability in Reflection FTP Client (CVE-2014-5211) |
Date Posted |
January 2015 |
Summary |
By sending a carefully crafted response, a malicious FTP server can cause a stack buffer overflow in the Reflection FTP Client. |
Product Status |
This issue affects Reflection FTP
Client in product versions 15.6.1.729 or earlier (identified as
15.6.729.0 or earlier in Help > About, or Control Panel >
Programs). This issue is resolved beginning in product version 15.6.1.746 or higher (identified as version 15.6.746.0 or higher after installation). Upgrade to Reflection 2014 R1 SP1 (version 15.6.1.746, also identified as version 15.6.746) or higher, available from Attachmate Downloads. |
Additional Information |
Attachmate would like to thank an
anonymous researcher, working with HP's Zero Day Initiative, for the
discovery and responsible reporting of this vulnerability. For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5211 http://www.zerodayinitiative.com/advisories/ZDI-15-008 |
Alert |
Multiple Remote Code Execution
Vulnerabilities in Reflection FTP Client Through ActiveX Interface
(CVE-2014-0603, CVE-2014-0604, CVE-2014-0605) |
Date Posted |
August 2014 |
Summary |
By sending specially crafted requests
to the Reflection FTP Client OLE Automation (COM/ActiveX) API to upload a
file to a system specific folder, it is possible for an attacker to
execute arbitrary code on the system. |
Product Status |
This issue affects Reflection FTP
Client in product versions 15.6.1.698 or earlier (identified as
15.6.698.0 or earlier in Help > About, or Control Panel >
Programs). This issue is resolved beginning in product version 15.6.1.706 or higher (identified as version 15.6.706.0 or higher after installation). Upgrade to Reflection 2014 R1 SP1 (version 15.6.1.746, also identified as version 15.6.746) or higher, available from Attachmate Downloads. |
Additional Information |
Attachmate would like to thank Andrea
Micalizzi (rgod), working with HP's Zero Day Initiative, for the
discovery and responsible reporting of these vulnerabilities. For vulnerability details, see the National Vulnerability Database and Zero Day Initiative links below: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0603 http://www.zerodayinitiative.com/advisories/ZDI-14-288 http://www.zerodayinitiative.com/advisories/ZDI-14-291 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0604 http://www.zerodayinitiative.com/advisories/ZDI-14-289 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0605 http://www.zerodayinitiative.com/advisories/ZDI-14-290 |
Alert |
OpenSSL "CCS Injection" Vulnerability CVE-2014-0224 |
Date Posted |
August 2014 |
Summary |
A vulnerability in OpenSSL could allow
an attacker with a man-in-the-middle vantage point on the network to
decrypt or modify traffic. |
Product Status |
This issue affects Reflection FTP
Client in product versions 15.6.1.698 or earlier (identified as
15.6.698.0 or earlier in Help > About, or Control Panel >
Programs). This issue is resolved beginning in product version 15.6.1.706 or higher (identified as version 15.6.706.0 or higher after installation). Upgrade to Reflection 2014 R1 SP1 or higher, available from Attachmate Downloads. |
Additional Information |
For details and the latest information on mitigations, see the following: CERT-CC Vulnerability Note VU#978508: http://www.kb.cert.org/vuls/id/978508 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 |
Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
Date Posted |
November 2014 |
Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
Product Status |
This issue affects Reflection 2014 R1
TLS 1.2 connections for 3270/5250/VT and FTP. The default Reflection
2014 R1 TLS 1.0 connections and Reflection 2011 products are not subject
to this vulnerability. This issue has been resolved beginning in Reflection 2014 R1 Hotfix 4 (15.6.0.660). Upgrade to Reflection 2014 R1 Update 1 or higher, available from Attachmate Downloads. Reflection for NonStop 2014 Add-On R1 and Reflection for NonStop 2011 may be vulnerable (connecting to Tandem/HP NonStop hosts). This issue is resolved beginning in Reflection for NonStop 2014 Add-On R1+SP1 (version 15.6.1.746), available from Attachmate Downloads. |
Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 |
Alert |
Vulnerability Summary for CVE-2013-0422 |
Date Posted |
January 2013 |
Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
Product Status |
Reflection 2011 or higher products are not subject to this vulnerability,
however, Reflection sessions configured using the Administrative
WebStation (included in Reflection Administrator, Reflection Security
Gateway, and Reflection for the Web, sold separately from Reflection)
require that Reflection be launched from a browser with a Java plug-in
enabled. It is this JRE plug-in and Java Web Start that can be
exploited, not Reflection. To launch sessions using the login/links page
and minimize the risk described in this vulnerability, you should refer
to the latest information provided by Oracle and install a version of
Java that addresses this vulnerability. |
Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
Alert |
Vulnerability in Visual Basic for Applications Could Allow Remote Code Execution (MS12-046) |
Date Posted |
October 2012 |
Summary |
The vulnerability could allow remote
code execution if a user opens a legitimate Microsoft Office file (such
as a .docx file) that is located in the same directory as a specially
crafted dynamic link library (DLL) file. An attacker could then install
programs; view, change, or delete data; or create new accounts that have
full user rights. If a user is logged on with administrative user
rights, an attacker could take complete control of the affected system.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights. |
Product Status |
The issue is resolved beginning in Reflection 2011 R3. The VBA version (6.5.10.54) included in Reflection 2011 R3 addresses the VBA vulnerability. |
Additional Information |
For details, see Microsoft Security Bulletin MS12-046 at http://www.microsoft.com/technet/security/bulletin/ms12-046.mspx. |
Alert |
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
Date Posted |
October 2012 – Modified June 2012 |
Summary |
An ASN.1 input function does not
properly interpret integer data, which allows local attackers to conduct
buffer overflow attacks, and cause a denial of service (memory
corruption), via crafted DER data, as demonstrated by an X.509
certificate. |
Product Status |
The issue is resolved beginning in version 15.4.1.397. Upgrade to Reflection 2011 R3 (15.5.0.28) or higher. |
Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
Alert |
OpenSSL Block Cipher Padding Vulnerability CVE-2011-4576 |
Date Posted |
May 2012 - Modified February 2012 |
Summary |
The SSL 3.0 implementation in the
Reflection SSL client does not properly initialize data structures for
block cipher padding, which might allow remote attackers to obtain
sensitive information by decrypting the padding data sent by an SSL
peer. |
Product Status |
The issue is resolved beginning in version 15.4.1.356. Upgrade to Reflection 2011 R2 SP1 or higher. |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4576. |
Alert |
Heap Overflow in Reflection FTP Client |
Date Posted |
May 2012 - Modified November 2011 |
Summary |
The Reflection FTP Client is subject to
a heap overflow that could result in remote code execution at the
authenticated user's privilege level. The vulnerability requires a user
to connect to a malicious FTP server and interact with a specially
crafted file. |
Product Status |
The Reflection FTP Client included with
Reflection 2008; Reflection 2011 R1 (15.3.436.0) and R1 Service Pack 1
(SP1) (15.3.569.0); and Reflection 2011 R2 (15.4.327.0) is subject to
this vulnerability. The issue is resolved beginning in version 15.3.2.569 for Reflection 2011 R1 SP1, and in version 15.4.1.327 for Reflection 2011 R2. Upgrade to Reflection 2011 R2 SP1. |
Additional Information |
Attachmate would like to thank Francis Provencher of Protek Research Labs for discovering and reporting the vulnerability. |
Alert |
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution CVE-2011-0977 |
Date Posted |
November 2011 |
Summary |
Reflection products with VBA features
(Reflection 2011 R1 and Reflection 2008) include redistributable
Microsoft VBA 6.4 files. There are reported vulnerabilities specific to
how Microsoft Office uses these files. To resolve these vulnerabilities,
Microsoft recommends applying an update to Microsoft Office. |
Product Status |
Reflection products do not have this vulnerability. |
Additional Information |
For details, see Microsoft Security Bulletin MS11-023 at http://www.microsoft.com/technet/security/bulletin/ms11-023.mspx. |
Alert |
Untrusted Search Path Vulnerability CVE-2011-0107 |
Date Posted |
November 2011 |
Summary |
Untrusted search path vulnerability in
Reflection for UNIX and OpenVMS 2011 allows local users to gain
privileges via a Trojan horse .DLL in the current working directory with
several registered file types. This is similar to the untrusted search
path vulnerability described in CVE-2011-0107 in Microsoft Office XP
SP3, Office 2003 SP3, and Office 2007 SP2 that allows local users to
gain privileges via a Trojan horse .DLL in the current working
directory, as demonstrated by a directory that contains a .docx file,
aka "Office Component Insecure Library Loading Vulnerability." |
Product Status |
This issue has been fixed starting in Reflection 2011 R1 SP1. Reflection for IBM 2011 is not subject to this vulnerability. |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0107. |
Alert |
Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution CVE-2010-3190 |
Date Posted |
November 2011 |
Summary |
Untrusted search path vulnerability in
the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio
.NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual
C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges
via a Trojan horse dwmapi.dll file in the current working directory
during execution of an MFC application such as AtlTraceTool8.exe (aka
ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC,
cur, rs, rct, or res file, aka "MFC Insecure Library Loading
Vulnerability." |
Product Status |
Reflection 2011 R1 and Reflection 2008
products ship with these MFC redistributables. Microsoft recommends that
customers apply the update at the earliest opportunity using update
management software, or by checking for updates using the Microsoft
Update service. Reflection 2011 R2 is not affected because it ships with updated MFC redistributables. |
Additional Information |
For details, see Microsoft Security Bulletin MS11-025 at http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx. |
Alert |
Vulnerability Advisory CPNI-957037 |
Date Posted |
July 2010 Modified October 2008 |
Summary |
A design flaw in the SSH protocol use
of block ciphers in cipher block chaining mode could allow an attacker
to recover up to four bytes of plaintext. Although the severity of the
attack is considered high, the likelihood of a successful attack is
considered low and results in terminating the user’s SSH connection. |
Product Status |
Reflection 2011
products continue to offer AES counter-mode ciphers available in
Reflection 2008, and now also prevent premature disconnection during
password or keyboard-interactive authentication. For more information
about how this vulnerability affects Attachmate products, see KB 7022040. |
Additional Information |
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563. |
Alert |
MD2 signed certificate hash collision vulnerability CVE-2009-2409 |
Date Posted |
July 2010 |
Summary |
Hash collisions in MD2 and MD5 signed
certificate signatures have been publicly demonstrated in controlled
research laboratories, leading to potential user or server certificate
spoofing attacks. |
Product Status |
Reflection products listed in the
Applies To section of this technical note are subject to this
vulnerability, although the computation time to generate these
certificates is still considered unfeasibly large. Beginning in Reflection 2011
use of MD2 or MD5 signed intermediate Certification Authority
certificates is no longer allowed by default, but can be configured if
needed for legacy certificate chain validation. |
Additional Information |
This issue is similar to the vulnerability described in CVE-2009-2409, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2409. |
Alert |
Null Truncation in X.509 Common Name Vulnerability CVE-2009-2408 |
Date Posted |
July 2010 |
Summary |
Attackers could acquire a server
certificate containing NULL (\0) characters in the Subject's Common Name
field of an x.509 certificate issued by a legitimate Certificate
Authority that could allow man-in-the-middle attacks that spoof
legitimate servers. |
Product Status |
Reflection products listed in the Applies To section of this technical note are subject to this vulnerability. Beginning in Reflection 2011
all attribute fields used to authenticate the host (namely, the Subject
Common Name and SubjectAlternativeName fields) are checked for illegal
(non-printable) characters, and the certificate is rejected if any are
found. |
Additional Information |
This issue is similar to the vulnerability described in CVE-2009-2408, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2408. |
Alert |
OpenSSL cryptographic message syntax vulnerability CVE-2010-742 |
Date Posted |
June 2010 |
Summary |
The Cryptographic Message Syntax (CMS)
implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x
before 1.0.0a does not properly handle structures that contain
OriginatorInfo, which allows context-dependent attackers to modify
invalid memory locations or conduct double-free attacks, and possibly
execute arbitrary code, via unspecified vectors. |
Product Status |
Attachmate Reflection products are not subject to this vulnerability. |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742. |
Alert |
OpenSSL RSA verification recovery vulnerability CVE-2010-1633 |
Date Posted |
June 2010 |
Summary |
RSA verification recovery in the
EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used
by pkeyutl and possibly other applications, returns uninitialized memory
upon failure, which might allow context-dependent attackers to bypass
intended key requirements or obtain sensitive information via
unspecified vectors. |
Product Status |
Attachmate Reflection products are not subject to this vulnerability. |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633. |
Alert |
US-CERT Technical Cyber Security Alert TA10-2131A |
Date Posted |
May 2010 |
Summary |
A remote code execution vulnerability
exists in the way that Microsoft Visual Basic for Applications searches
for ActiveX controls, as described in Microsoft Security Bulletin
MS10-031 and Microsoft Security Advisory KB 974945. |
Product Status |
Reflection products listed in the
Applies To section of this technical note contain ActiveX controls that
are subject to this vulnerability. If you have any Microsoft Office products installed and use Microsoft Update to keep your systems secure, the Microsoft patches as described in Microsoft Security Bulletin MS10-031 (http://www.microsoft.com/technet/security/bulletin/ms10-031.mspx) will automatically update the vulnerable VBE6.DLL file used by Reflection applications. The patch for systems that are not updated automatically using Microsoft Update can be downloaded from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=436a8a66-352e-44d1-a610-c825083ad24a |
Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-131A.html. |
Alert |
Drawing Object Vulnerability CVE-2007-1747 |
Date Posted |
October 2009 |
Summary |
Reflection products with VBA features
(Reflection 2008, Reflection 2007, and Reflection 14.x and earlier)
include redistributable Microsoft VBA 6.4 files. There are reported
vulnerabilities specific to how Microsoft Office uses these files. To
resolve these vulnerabilities, Microsoft recommends applying an update
to Microsoft Office. |
Product Status |
Attachmate Reflection products do not have this vulnerability. |
Additional Information |
For details, see Microsoft Security Bulletin MS07-025 at http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx. |
Alert |
US-CERT Technical Cyber Security Alert TA09-209A |
Date Posted |
28-July-2009 |
Summary |
Vulnerabilities present in the
Microsoft Active Template Library (ATL) can cause vulnerabilities in the
resulting ActiveX controls and COM components, as described in
Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory
973882. Any ActiveX control or COM component that was created with a
vulnerable version of the ATL may be vulnerable. |
Product Status |
Attachmate products listed in the Applies To section of this technical note contain the non-vulnerable ATL. Be sure to apply all Microsoft ATL critical patches to your systems as described in Microsoft Security Bulletin MS09-035, http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx. |
Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html. |
Alert |
US-CERT Vulnerability Note VU #419344 |
Date Posted |
April 2007 |
Summary |
An authenticated user may be able to
execute arbitrary code on a host running kadmind. Successful
exploitation can compromise the Kerberos key database and host security
on the host running these programs. (kadmind and the KDC typically run
as root.) Unsuccessful exploitation attempts will likely result in the
affected program crashing. Third-party applications calling either the
RPC library or the GSS-API library provided with MIT krb5 may be
vulnerable. |
Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344. |
Alert |
US-CERT Vulnerability Note VU #704024 |
Date Posted |
April 2007 |
Summary |
A buffer overflow exists in the
krb5_klog_syslog() function used by kadmind and the KDC. An
authenticated user may be able to execute arbitrary code on a host
running kadmind. An authenticated user may be able to execute arbitrary
code on KDC host. Also, a user controlling a Kerberos realm sharing a
key with the target realm may be able to execute arbitrary code on a KDC
host. Successful exploitation can compromise the Kerberos key database
and host security on the host running these programs. (kadmind and the
KDC typically run as root.) Unsuccessful exploitation attempts will
likely result in the affected program crashing. Third-party applications
calling krb5_klog_syslog() may also be vulnerable. |
Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024. |
Alert |
US-CERT Vulnerability Note VU #220816 |
Date Posted |
April 2007 |
Summary |
A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources. |
Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816. |
Alert |
US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers |
Date Posted |
April 2007 |
Summary |
An unauthenticated user may cause
execution of arbitrary code in the Kerberos administration daemon,
"kadmind", by causing it to free uninitialized pointers which should
have been initialized by the GSS-API library. Compromise of the Kerberos
key database may result. Third-party server applications written using
the GSS-API library provided with MIT krb5 may also be vulnerable.
Affected releases are krb5-1.5 through krb5-1.5.1. |
Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452. |
Alert |
US-CERT Vulnerability Note VU #845620: RSA Public Exponent 3 |
Date Posted |
September 2006 |
Summary |
Multiple RSA implementations fail to
properly handle signatures. This applies to Secure Shell and SSL/TLS
encrypted connections. |
Product Status |
For more information about how this vulnerability affects Reflection products, see KB 7021933. |
Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
Alert |
US-CERT Vulnerability Note VU#680620 |
Date Posted |
July 14, 2005 |
Summary |
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
Product Status |
The Reflection Secure Shell client uses zlib version 1.1.4, which is not subject to this vulnerability. |
Additional |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
Summary |
Three Chinese cryptanalysts from
Shandong University have recently documented a successful cryptanalytic
attack on the SHA-1 algorithm. |
Product Status |
Reflection products primarily use SHA-1
to create HMACs (Keyed Hashing for Message Authentication), for
verification of message integrity. According to Schneier, because hash
collisions are not a prominent concern, this use of SHA-1 is not
affected by the cryptanalytic attack. In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
Additional |
Bruce Schneier, the author of "Applied
Cryptography," discusses this announcement on his blog, Schneier on
Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
Alert |
US-CERT Vulnerability Note VU#686862 |
Summary |
MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows. |
Product Status |
The Reflection Kerberos Client is not subject to the krb5_aname_to_localname() vulnerabilities (VU#686862) because it contains client functionality only and does no mapping of principal name to username. |
Additional |
For details, see http://www.kb.cert.org/vuls/id/686862. |
Alert |
Microsoft VBA Security Update |
Summary |
Microsoft has identified a critical security issue with Visual Basic for Applications (VBA). |
Product Status |
For information about this issue, see KB 7021625. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.