Environment
Situation
This technical note describes security issues related to Reflection PKI Services Manager. If you rely on the security features of this module, you should consult this technical note on a regular basis for any updated information regarding these features.
Note: Reflection PKI Services Manager is available as an optional component of many Attachmate products. For a list of those products, see KB 7021880.
Resolution
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
- Information about Attachmate products and FIPS 140-2: KB 7021285.
Java and Reflection PKI Services Manager
Reflection PKI Services Manager installs a private JRE that you can upgrade. Refer to the product documentation (https://support.microfocus.com/manuals/reflection.html?prod=PKID) for details on how to upgrade the JRE. This component falls into the Java Server usage pattern. For more information, see KB 7021973.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
Alert | RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised |
Date Posted | January 2015 – Modified March 2014 – Modified January 2014 |
Summary | RSA strongly recommends that customers discontinue use of the default Dual EC DRBG (deterministic random bit generator) and move to a different DRBG. |
Product Status | Reflection PKI Services Manager 1.2 SP2 and 1.3 install version 6.1 of RSA's Crypto-J library, which is subject to this issue. This issue is resolved in Reflection PKI Services Manager 1.3 Service Pack 1 (1.3.1.139). We recommend that you upgrade PKI Services Manager to the latest version. Maintained customers can download the latest version from the Attachmate Downloads site. Earlier Reflection PKI Services Manager versions are not subject to this vulnerability. |
Additional Information | If you have installed and configured your own Java JVM or JDK, the java.security file will be located in the %JAVA_HOME%/jre/lib folder of your install. To change the default pseudo-random number generator (PRNG) used, you can add the following line to the java.security file: com.rsa.crypto.default.random=HMACDRBG256 For more information about this alert, see http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf. |
Alert | Multiple Oracle JRE Vulnerabilities |
Summary | Multiple Oracle JRE issues have been addressed in the latest Oracle Java update. We recommend that you update the Java Runtime Environment (JRE) for Reflection PKI Services Manager. |
Date Posted and Version Affected | January 2015 – Reflection PKI Services Manager 1.3 Service Pack 1 installs Version 7 Update 71 of the JRE. |
Date Posted and Version Affected | March 2014 – Reflection PKI Services Manager 1.3 Hotfix 1 installs Version 7 Update 51 of the JRE. To obtain this hotfix, contact Attachmate Technical Support. |
Date Posted and Version Affected | October 2013 – Reflection PKI Services Manager 1.3 installs Version 7 Update 25 of the JRE. |
Date Posted and Version Affected | August 2013 – Reflection PKI Services Manager 1.2 Service Pack 2 installs Version 7 Update 25 of the JRE. |
Date Posted and Version Affected | November 2012 – Reflection PKI Services Manager 1.2 Service Pack 1 installs Version 7 Update 5 of the JRE. |
Additional Information | Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html. |
Alert | Multiple IBM JRE Vulnerabilities |
Summary | Multiple IBM Runtime Environment Java Technology Edition issues have been addressed in the latest IBM update. |
Date Posted and Version Affected | January 2015 – Reflection PKI Services Manager 1.3 Service Pack 1 installs Version 7 R1 SR2 of the JRE. |
Additional Information | IBM lists the security vulnerabilities addressed by IBM Security alerts (updates): see the mapping at http://www.ibm.com/developerworks/java/jdk/alerts/. |
Alert | OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
Date Posted | April 2014 |
Summary | A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. |
Product Status | Reflection PKI Services Manager is not affected by this issue. |
Additional Information | For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
Alert | Vulnerability Summary for CVE-2013-0422 |
Date Posted | January 2013 |
Summary | Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
Product Status | Reflection PKI Services Manager is not subject to this vulnerability. |
Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
Alert | OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
Date Posted | May 2012 |
Summary | An ASN.1 input function does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate. |
Product Status | This issue does not affect Reflection PKI Services Manager. |
Additional Information | For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
Alert | Multiple Oracle JRE Vulnerabilities |
Date Posted | November 2011 |
Summary | Multiple Oracle JRE issues have been addressed in Oracle JRE 1.6U26. |
Product Status | Reflection PKI Services Manager 1.2 Hotfix 1 or higher installs Version 6 Update 26 of the Java Runtime Environment (JRE), which addresses several potential security vulnerabilities. Upgrade to the latest Reflection PKI Services Manager version. |
Additional Information | For details about the vulnerabilities that affect Reflection PKI Services Manager, see the following vulnerabilities at the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0872 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0867 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0865. |
Alert | Vulnerability Summary for CVE-2010-4476 |
Date Posted | June 2011 |
Summary | The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. |
Product Status | Reflection PKI Services Manager 1.2 installs Version 6 Update 24 of the Java Runtime Environment (JRE), which addresses this potential security vulnerability. |
Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476. |
Alert | Vulnerability Summary for CVE-2010-3190 |
Date Posted | June 2011 |
Summary | Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability." |
Product Status | In Reflection PKI Services Manager 1.2, the Microsoft Redistributable Library files for the untrusted search path vulnerability have been updated, and a related untrusted search path vulnerability in the Windows module has been fixed. |
Additional Information | For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190. |