Environment
Reflection X Advantage version 4.0 or higher
Situation
This technical note describes security issues related to Reflection X Advantage. If you rely on the security features of this product, you should consult this technical note on a regular basis for any updated information regarding these features.
Note: Reflection X Advantage is available as a component of multiple Reflection products; see KB 7021831 for more information.
Resolution
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
- Information about Reflection PKI Services Manager: Security Alerts - Reflection PKI Services Manager.
Java and Reflection X Advantage
A Java Runtime Environment (JRE) is required for all Reflection X Advantage applications and services. Oracle periodically provides security updates for Java. Attachmate assesses the impact of Java security vulnerabilities on Reflection X Advantage and supplies updated installation packages as needed to provide customers with Java security fixes.
The options available to you for installing Java updates depend on which version of Reflection X Advantage you are running.
Version 5.0 or higher on Windows
Reflection X Advantage 5.0 installs a private Java by default. On Windows, this installation is accomplished using a separate Java installation package. The Java installation package runs automatically when you install using the Setup user interface and include the "Java Runtime Environment (JRE)" feature (the default). On UNIX systems, Java is included in the Reflection X Installer, not as a separate installation package.
- Installing Updates to the Default Copy of Java (Windows only)
Attachmate provides updated Java installers as needed when a Java security vulnerability affects Reflection X Advantage. This technical note will be updated when an updated Attachmate Java installer is available. You can download the updated version and apply it independently of any updates you apply to the main Reflection installer package. For more information, see KB 7021833.
- Installing Updates Directly from Oracle
If you prefer to update Java more frequently, you can monitor the Oracle site and install Java directly using the Oracle JDK installer (which installs the server JRE). To use this option, you need to deselect the "Java Runtime Environment (JRE)" feature in the Reflection installer and configure a Windows environment variable (RXA_JRE_HOME) to direct Reflection X Advantage to use the non-default JRE. For full functionality, you also need to apply the Java Cryptography Extension. The cryptography extension is recommended for all installations. The cryptography extension is required if you run in domain mode and/or if you enforce higher security standards by running in FIPS mode. For details, see "Changing the JRE" in the Reflection X Advantage Help (https://docs.attachmate.com/reflection/rxa/5.0/en/tshelp/rxa_change_jre.htm).
Note: If you don't install the default Java and also don't configure the RXA_JRE_HOME environment variable, Reflection X Advantage attempts to find a system JRE already installed using the Oracle installer. Relying on this option is not recommended. The default JRE installed from a browser does not include unlimited strength cryptography files and installs the client, not the server JRE.
Version 4.2 and Earlier on Windows (Included in Reflection 2011 Products)
All UNIX Installations
Prior to version 5.0, all Reflection X Advantage installations included a private copy of Java included directly in the product installer. Reflection X Advantage UNIX installers continue to install Java this way. For these products, Attachmate will update the Reflection installer with an updated version of Java as needed when a Java security vulnerability affects Reflection X Advantage. This technical note will be updated when an updated Reflection installer is available.
For more information about Java and Attachmate products, see KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert | Multiple Oracle Java Vulnerabilities |
| Summary | Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you keep current with Java releases. |
| Date Posted and Product Status | April 2016 – For Windows, an updated Attachmate installation package for Java 8 Update 71 (JDK 1.8.0_71) or higher is available from Attachmate Downloads for Reflection Desktop for X, Reflection Desktop Pro, Reflection Suite for X, and Reflection X customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. For UNIX: For information about How to Update Java used by Reflection X Advantage on UNIX Systems, see KB 7021834. |
| Date Posted and Product Status | September 2015 – For UNIX, Java 7 Update 75 (JDK 1.7.0_75) is included in Reflection X Advantage 5.0 Service Pack 1 Update 1 (version 5.0.985), available from the Downloads website. If you wish to use a newer Java version on UNIX, see KB 7021834. |
| Date Posted and Product Status | April 2015 – For Windows, an updated Attachmate installation package for Java 7 Update 80 (JDK 1.7.0_80) or higher is available from Attachmate Downloads for Reflection X 2014, Reflection Pro 2014, Reflection X 14.x, and Reflection Suite for X 14.x customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. For UNIX: For information about How to Update Java used by Reflection X Advantage on UNIX Systems, see KB 7021834. |
| Date Posted and Product Status | February 2015 – For Windows, an updated Attachmate installation package for Java 7 Update 75 (JDK 1.7.0_75) or higher is available from Attachmate Downloads for Reflection X 2014, Reflection Pro 2014, Reflection X 14.x, and Reflection Suite for X 14.x customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. For UNIX, a hotfix that includes Java 7 Update 75 (JDK 1.7.0_75) is available by contacting Attachmate Technical Support. |
| Date Posted and Product Status | October 2014 – For Windows, an updated Attachmate installation package for Java 7 Update 71 (JDK 1.7.0_71) or higher is available from Attachmate Downloads for Reflection X 2014, Reflection Pro 2014, Reflection X 14.x, and Reflection Suite for X 14.x customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. For UNIX: For information about How to Update Java used by Reflection X Advantage on UNIX Systems, see KB 7021834. |
| Date Posted and Product Status | August 2014 – For Windows, an updated Attachmate installation package for Java 7 Update 65 (JDK 1.7.0_65) or higher is available from Attachmate Downloads for Reflection X 2014, Reflection Pro 2014, Reflection X 14.x, and Reflection Suite for X 14.x customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. For UNIX: For information about How to Update Java used by Reflection X Advantage on UNIX Systems, see KB 7021834. |
| Date Posted and Product Status | May 2014 – For UNIX: Reflection X Advantage 5.0 Update 1installs Java 7 Update 55 (JDK 1.7.0_55). For Windows, an updated Attachmate installation package for Java 7 Update 55 (JDK 1.7.0_55) or higher is available from Attachmate Downloads for Reflection X 2014, Reflection Pro 2014, Reflection X 14.x, and Reflection Suite for X 14.x customers. For information about How to Update Java Using the Attachmate Installation Package, see KB 7021833. |
| Date Posted and Product Status | February 2014 – Reflection X Advantage 5.0 installs Java 7 Update 45 (JDK 1.7.0_45). |
| Date Posted and Product Status | August 2013 – Reflection X Advantage 4.2 Service Pack 1 installs Java 7 Update 13 (JDK 1.7.0_13). |
| Date Posted and Product Status | October 2012 – Reflection X Advantage 4.2 installs Java 7 Update 5 (JDK 1.7.0_05). |
| Additional Information | For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert | glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547) |
| Date Posted | February 2016 |
| Summary | The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used. |
| Product Status | Reflection X Advantage version 5.0 and later is subject to this vulnerability when run on Red Hat or SUSE platforms if the GNU C Library (glibc) installed on the system is version 2.9 or greater. For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547. For information on how to update your SUSE system, see https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html. Reflection X Advantage version 5.0 and later running on AIX, HP-UX, and Solaris systems is not vulnerable. Reflection X Advantage versions 4.2 and earlier are not vulnerable. |
| Additional Information | For vulnerability details, see: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html. |
| Alert | Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
| Date Posted | June 2015, Updated September 2015 |
| Summary | With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions. |
| Product Status | X server connections are not vulnerable to the man-in-the-middle cipher downgrade attack, as DHE_EXPORT is not supported. SSH client connections used to start X clients may be vulnerable, depending on the SSH server. Although 2048-bit Group Exchange algorithm is requested by default, a vulnerable 1024-bit Group is enabled and accepted in X client definitions created with version 5.0.977 or earlier. To avoid this vulnerability: * Disable the Group1 (1024-bit) algorithm in your X client definition (SSH > Advanced > Encryption > Key Exchange Algorithms). * Verify your SSH server does not return a 1024-bit Group when 2048-bit Group Exchange is requested. Beginning with Reflection X Advantage version 5.0.983, Group1 is disabled by default for new X client definitions using SSH. For Windows platforms, this version is included with Reflection 2014 hotfix installers beginning in version 15.6.1.797. Maintained customers can obtain Reflection X Advantage 5.0 Service Pack 1 Update 1 (version 9.0.985) or higher from the Downloads website. |
| Additional Information | For details, see the National Vulnerability Database site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
| Alert | FreeType Library Vulnerabilities (CVE-2014-9657 and CVE-2014-9658) |
| Date Posted | June 2015, Updated September 2015 |
| Summary | Functions in the FreeType library before version 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. |
| Product Status | These issues are addressed in Reflection X Advantage version 5.0.977 and higher. For Windows platforms, this version is included with Reflection 2014 hotfix installers beginning in version 15.6.1.797. Maintained customers can obtain Reflection X Advantage 5.0 Service Pack 1 Update 1 (version 9.0.985) or higher from the Downloads website. |
| Additional Information | For details, see the National Vulnerability Database site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9657 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9658 |
| Alert | Multiple X.Org BDF Font Parser Vulnerabilities (CVE-2015-1802, CVE 2015-1803, CVE-2015-1804) |
| Date Posted | April 2015, Updated September 2015 |
| Summary | The bdfReadProperties and bdfReadCharacters functions in bitmap/bdfread.c in X.Org libXfont allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted BDF font file or font properties. |
| Product Status | These issues are fixed in Reflection X Advantage beginning in version 5.0.974. For Windows platforms, this is version is included with Reflection 2014 hotfix installers beginning in version 15.6.1.788. Maintained customers can obtain Reflection X Advantage 5.0 Service Pack 1 Update 1 (version 9.0.985) or higher from the Downloads website. |
| Additional Information | For details, see the National Vulnerability Database site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1802 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1803 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1804 |
| Alert | Oracle Java Unspecified Vulnerability (CVE-2015-0488) |
| Date Posted | April 2015 |
| Summary | An unspecified vulnerability in Oracle Java Standard Edition 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect availability via vectors related to Java Secure Socket Extension (JSSE). |
| Product Status | Reflection X Advantage 5.0 uses JSSE and may be affected. This issue is addressed in a Java update. Refer to the “Multiple Oracle Java Vulnerabilities†Alert. |
| Additional Information | For details, see the National Vulnerability Database site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0488 |
| Alert | Certificate Blacklist Protection Vulnerability (CVE-2014-8275) |
| Date Posted | April 2015 |
| Summary | OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. RSA has confirmed that this vulnerability applies to RSA Crypto-J versions prior to 6.2. |
| Product Status | Reflection X Advantage is not subject to this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275. |
| Alert | Information leak in the XkbSetGeometry request of X servers (CVE-2015-0255) |
| Date Posted | February 2015 |
| Summary | A malicious client with string lengths exceeding the [XkbGeometry] request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. |
| Product Status | Reflection X Advantage is not affected by this issue. |
| Additional Information | For vulnerability details, see the X.Org Foundation or the National Vulnerability Database: http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0255. |
| Alert | OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted | April 2014 |
| Summary | A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. |
| Product Status | Reflection X Advantage is not affected by this issue. |
| Additional Information | For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
| Alert | RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised |
| Date Posted | February 2014 |
| Summary | RSA strongly recommends that customers discontinue use of the default Dual EC DRBG (deterministic random bit generator) and move to a different DRBG. |
| Product Status | Reflection X Advantage 5.0 is not subject to this vulnerability. Reflection X Advantage 5.0 installs version 6.1 of RSA’s Crypto-J library, but programmatically sets a different DRBG algorithm. Future Reflection X Advantage versions will ship with a Crypto-J library that is not subject to this issue. Earlier versions of Reflection X Advantage are also not subject to this vulnerability; they ship an older Crypto-J library, in which the default DRBG is different from the default in the newer Crypto-J library. |
| Additional Information | For details, see the National Vulnerability Database site at http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf. |
| Alert | Vulnerability Summary for CVE-2013-0422 |
| Date Posted | January 2013 |
| Summary | Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status | Reflection X Advantage is not subject to this vulnerability, however two optional methods of launching sessions rely on browser functionality provided by Java. Domain mode sessions launched using Java Web Start require that JNLP be enabled. Reflection sessions configured using the Administrative WebStation (included in Reflection Administrator, Reflection Security Gateway, and Reflection for the Web, sold separately from Reflection X Advantage) require that Reflection be launched from a browser with a Java plug-in enabled. It is the Java plug-in and Web Start that can be exploited, not Reflection X Advantage. To minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert | Multiple Oracle Java Vulnerabilities in Java 7 Update 3 or earlier |
| Date Posted | October 2012 |
| Summary | Multiple security issues have been addressed in Oracle Java 7 Update 3 or earlier. |
| Product Status | These issues are resolved in Reflection X Advantage 4.2, which installs Java 7 Update 5 (JDK 1.7.0_05). |
| Additional Information | For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table. |
| Alert | Vulnerability Summary for CVE-2012-2118 |
| Date Posted | June 2012 |
| Summary | Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name. |
| Product Status | Reflection X Advantage is not subject to this vulnerability. |
| Additional Information | For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2118. |
| Alert | Floating Point Number Vulnerability CVE-2010-4476 |
| Date Posted | November 2011 |
| Summary | Oracle Security Alert: "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks (that is, it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability." |
| Product Status | This issue is resolved in Reflection X Advantage 4.0, which installs Version 6 Update 26 of the Java Runtime Environment. |
| Additional Information | For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476. |
| Alert | Vulnerability Summary for CVE-2010-3558 |
| Date Posted | May 2011 |
| Summary | Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 may allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. |
| Product Status | Issue has been fixed when you apply Reflection 2011 R1 SP1 to Reflection X Advantage. Service Pack 1 (SP1) installs Version 6 Update 23 of the Java Runtime Environment, which resolves the issue. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3558. |
| Alert | US-CERT Technical Cyber Security Alert TA10-238A |
| Date Posted | October 2010 |
| Summary | Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code. |
| Product Status | Reflection X Advantage is not subject to this vulnerability. |
| Additional Information | For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html. |
| Alert | Vulnerability Summary for CVE-2008-2362 |
| Date Posted | October 2010 |
| Summary | Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code using a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption. |
| Product Status | Issue has been fixed in Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2362. |
| Alert | Vulnerability Summary for CVE-2008-2361 |
| Date Posted | October 2010 |
| Summary | Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory. |
| Product Status | Issue has been fixed in Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2361. |
| Alert | Vulnerability Summary for CVE-2008-2360 |
| Date Posted | October 2010 |
| Summary | Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow. |
| Product Status | Issue has been fixed in Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2360. |
| Alert | Vulnerability Summary for CVE-2008-1377 |
| Date Posted | October 2010 |
| Summary | The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code through requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption. |
| Product Status | Issue does not affect Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1377. |
| Alert | Vulnerability Summary for CVE-2008-0006 |
| Date Posted | October 2010 |
| Summary | Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code using a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table. |
| Product Status | Issue does not affect Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0006. |
| Alert | Vulnerability Summary for CVE-2007-6429 |
| Date Posted | October 2010 |
| Summary | Multiple integer overflows in X.Org Xserver before 1.4.1 allow context-dependent attackers to execute arbitrary code using (1) a GetVisualInfo request containing a 32-bit value that is improperly used to calculate an amount of memory for allocation by the EVI extension, or (2) a request containing values related to pixmap size that are improperly used in management of shared memory by the MIT-SHM extension. |
| Product Status | Issue does not affect Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6429. |
| Alert | Vulnerability Summary for CVE-2007-6428 |
| Date Posted | October 2010 |
| Summary | The ProcGetReservedColormapEntries function in the TOG-CUP extension in X.Org Xserver before 1.4.1 allows context-dependent attackers to read the contents of arbitrary memory locations using a request containing a 32-bit value that is improperly used as an array index. |
| Product Status | Issue does not affect Reflection X Advantage 3.0. |
| Additional Information | For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6428. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.