Environment
Situation
This technical note describes security issues related to the FileXpress products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
Other Useful Resources
- Operating system, host, and network effects on overall security: KB 7021969.
- Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
- Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
- Review security updates for other Attachmate products: https://support.microfocus.com/security/.
Java and FileXpress
Some FileXpress products use Java, and you may need to update the installed version of Java used by these products to get the latest Java security updates. For more information about Java and FileXpress, see #FileXpress.
Resolution
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.
Alert |
RSA BSAFE Crypto-J JSAFE and JCE Module |
Date Posted |
April 2016 |
Summary |
FIPS validation issues have been
addressed in a hotfix. RSA BSAFE Crypto-J JSAFE and JCE software module
version 6.2.1 has been validated by the National Institute of Standards
and Technology (NIST). |
Product Status |
FileXpress Gateway: This issue has been
resolved beginning in version 1.0 build 369. Contact Technical Support
to obtain a hotfix. |
Additional Information |
For details, see KB 7021285. |
Alert |
glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547) |
Date Posted |
March 2016 |
Summary |
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used. |
Product Status |
For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547. For information on how to update your SUSE system, see https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html. |
Additional Information |
For vulnerability details, see: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html |
Alert |
Bouncy Castle Invalid Curve Attack Vulnerability (CVE-2015-7940) |
Date Posted |
December 2015 |
Summary |
The Bouncy Castle Java library before
1.51 does not validate a point is within the elliptic curve, which makes
it easier for remote attackers to obtain private keys via a series of
crafted elliptic curve Diffie Hellman (ECDH) key exchanges. |
Product Status |
Disable Bouncy Castle as the Elliptical Curve encryption provider as follows: 1. Make sure you are running Oracle Java Server JRE or JDK version 1.7 or 1.8. 2. Edit the JAVA_HOME/jre/lib/security/java.security file. 3. Verify that the “sun.security.ec.SunEC” provider is defined. security.provider.<n>=sun.security.ec.SunEC 4. Move the following line from line 3 to the last provider entry: security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider 5. Renumber the security.provider entries and save the java.security file. 6. Restart the FileXpress server. |
Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940 |
Alert |
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000) |
Date Posted |
June 2015 (Updated) |
Summary |
With TLS protocol 1.2, if DHE_EXPORT
ciphersuite is supported by the server, man-in-the-middle attackers can
conduct cipher-downgrade attacks. Additionally, with any TLS or SSH
connection that uses weaker DH Groups (1024 bits or less) for key
exchange, an attacker can passively eavesdrop and decrypt sessions. |
Product Status |
FileXpress Gateway 1.0 is subject to this vulnerability.
This issue is addressed beginning in FileXpress Gateway 1.0 hotfix
build 368. Maintained customers can download the latest hotfix from the
Attachmate Downloads site. In new product installations, DH Group1 Key Exchanges are disabled by default. After upgrading an existing installation, disable Group1 Exchanges as follows: 1. Open the FileXpress Secure Shell Proxy Console from the Start menu. 2. Click Configuration > Encryption > Key Exchange and click the Restore pane defaults link. 3. Click Yes to reset then File > Save Settings. |
Additional Information |
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 |
Alert |
Multiple OpenSSL Vulnerabilities |
Summary |
Multiple OpenSSL issues have been addressed in the latest OpenSSL version. |
Date Posted and Version Affected |
October 2014 – FileXpress Gateway 1.0 contains the latest OpenSSL Cryptographic Module that includes OpenSSL release 1.0.1i. |
Additional Information |
For vulnerability details, see: https://www.openssl.org/news/secadv_20150319.txt https://www.openssl.org/news/secadv_20140806.txt. |
Alert |
Multiple Oracle JRE Vulnerabilities |
Summary |
Multiple Oracle JRE issues have been addressed in the latest Oracle Java update. |
Date Posted and Version Affected |
January 2015 – Beginning in FileXpress Gateway 1.0 Hotfix 1 (version 1.0.0.360), JRE version 7 Update 75 is installed. |
Additional Information |
Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html. |
Alert |
RSA BSAFE SSL-J Vulnerability CVE-2014-4630 |
Date Posted |
January 2015 |
Summary |
EMC RSA BSAFE SSL-J before 6.1.4 does
not ensure that a server’s X.509 certificate is the same during
renegotiation as it was before renegotiation, which allows
man-in-the-middle attackers to obtain sensitive information or modify
TLS session data via a “triple handshake attack." |
Product Status |
FileXpress Gateway 1.0 (version
1.0.0.336) is not vulnerable to this attack but does contain the
vulnerable module. Beginning in FileXpress Gateway 1.0 Hotfix 1 (version
1.0.0.360), the module has been updated with RSA BSAFE SSL-J 6.1.4. We recommend that you upgrade FileXpress Gateway to the latest hotfix. Maintained customers can download the latest hotfix from the Attachmate Downloads site. |
Additional Information |
For details and the latest information, see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4630. |
Alert |
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160 |
Date Posted |
April 2014 |
Summary |
A vulnerability in OpenSSL could allow a
remote attacker to expose sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory
handling in the TLS heartbeat extension. |
Product Status |
FileXpress products are not affected by this issue. |
Additional Information |
For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. |
Alert |
Vulnerability CVE-2013-0422 |
Date Posted |
January 2013 |
Summary |
Oracle Java 7 Update 10 or earlier
allows remote attackers to execute arbitrary code as exploited "in the
wild" and demonstrated by exploit tools such as Blackhole and Nuclear
Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
Product Status |
FileXpress products are not subject to this vulnerability. |
Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
Alert |
Vulnerability CVE-2010-4252 |
Date Posted |
June 2011 |
Summary |
OpenSSL before 1.0.0c, when J-PAKE is
enabled, does not properly validate the public parameters in the J-PAKE
protocol, which allows remote attackers to bypass the need for knowledge
of the shared secret, and successfully authenticate, by sending crafted
values in each round of the protocol. |
Product Status |
FileXpress products are not affected by this OpenSSL issue. |
Additional Information |
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252. |
Alert |
Vulnerability CVE-2010-4180 |
Date Posted |
June 2011 |
Summary |
OpenSSL before 0.9.8q, and 1.0.x before
1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does
not properly prevent modification of the ciphersuite in the session
cache, which allows remote attackers to force the downgrade to an
unintended cipher via vectors involving sniffing network traffic to
discover a session identifier. |
Product Status |
FileXpress products are not subject to this vulnerability. |
Additional Information |
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180. |
Alert |
OpenSSL TLS Buffer Overflow Vulnerability CVE-2010-3864 |
Date Posted |
February 2011 |
Summary |
Multiple race conditions in
ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when
multi-threading and internal caching are enabled on a TLS server, might
allow remote attackers to execute arbitrary code via client data that
triggers a heap-based buffer overflow, related to (1) the TLS server
name extension and (2) elliptic curve cryptography. |
Product Status |
FileXpress products, are not subject to this vulnerability |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864. |
Alert |
FTP Client Directory Traversal Vulnerability CVE-2010-3096 |
Date Posted |
December 2010 |
Summary |
Numerous FTP clients have reported a
directory traversal vulnerability that allows remote FTP servers to
write arbitrary files via "..\" (dot dot backslash) sequences in a
filename. |
Product Status |
FileXpress products are not subject to this vulnerability |
Additional Information |
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096. |
Alert |
US-CERT Technical Cyber Security Alert TA10-238A |
Date Posted |
November 2010 |
Summary |
Due to the way Microsoft Windows loads
dynamically linked libraries (DLLs), an application may load an
attacker-supplied DLL instead of the legitimate one, resulting in the
execution of arbitrary code. |
Product Status |
FileXpress products are not subject to this vulnerability |
Additional Information |
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.