Environment
Situation
This technical note describes security issues related to Databridge. If you rely on the security features of Databridge, you should consult this technical note on a regular basis for any updated information regarding these features.
Resolution
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
Java and Databridge Products
The only component of Databridge that uses Java is the Databridge console, which is part of the Databridge client. It is possible (and common) to use the Databridge client from the command line, in which case you do not need to use the console. The other Databridge components (including Databridge host and Databridge Enterprise) do not use Java.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
| Alert |
Multiple Oracle JRE Vulnerabilities |
| Date Posted |
May 2015 |
| Summary |
According to Oracle, to be successfully
exploited, an unsuspecting user running an affected release in a
browser needs to visit a malicious web page that leverages these
vulnerabilities. Successful exploits can impact the availability,
integrity, and confidentiality of the user's system. These
vulnerabilities are not applicable to Java running on servers or within
applications. |
| Product Status |
Users running the Databridge client from the Databridge console are encouraged to download the most recent version of Java: http://www.oracle.com/technetwork/java/javase/downloads/index.html. |
| Additional Information |
Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html. |
| Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
| Date Posted |
April 2014 |
| Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
| Product Status |
Databridge products are not affected by this issue. |
| Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.