Security Updates and FileXpress

Document ID:7022077
Creation Date:05-Nov-2009
Modified Date:02-Mar-2018
- Micro Focus Products:
  Reflection for Secure IT Gateway

Environment

FileXpress Gateway version 1.0 or higher

Situation

This technical note describes security issues related to the FileXpress products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Operating system, host, and network effects on overall security: KB 7021969.
Report a potential security vulnerability in an Attachmate product to Attachmate: https://www.microfocus.com/security.
Check on the product support lifecycle status of your Attachmate software: https://support.microfocus.com/programs/lifecycle/.
Review security updates for other Attachmate products: https://support.microfocus.com/security/.

Java and FileXpress

Some FileXpress products use Java, and you may need to update the installed version of Java used by these products to get the latest Java security updates. For more information about Java and FileXpress, see #FileXpress.

Resolution

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see KB 7021969.

Alert	RSA BSAFE Crypto-J JSAFE and JCE Module
Date Posted	April 2016
Summary	FIPS validation issues have been addressed in a hotfix. RSA BSAFE Crypto-J JSAFE and JCE software module version 6.2.1 has been validated by the National Institute of Standards and Technology (NIST).
Product Status	FileXpress Gateway: This issue has been resolved beginning in version 1.0 build 369. Contact Technical Support to obtain a hotfix.
Additional Information	For details, see KB 7021285.

Alert	glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547)
Date Posted	March 2016
Summary	The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used.
Product Status	For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547. For information on how to update your SUSE system, see https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html.
Additional Information	For vulnerability details, see: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Alert	Bouncy Castle Invalid Curve Attack Vulnerability (CVE-2015-7940)
Date Posted	December 2015
Summary	The Bouncy Castle Java library before 1.51 does not validate a point is within the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges.
Product Status	Disable Bouncy Castle as the Elliptical Curve encryption provider as follows: 1. Make sure you are running Oracle Java Server JRE or JDK version 1.7 or 1.8. 2. Edit the JAVA_HOME/jre/lib/security/java.security file. 3. Verify that the “sun.security.ec.SunEC” provider is defined. `security.provider.<n>=sun.security.ec.SunEC` 4. Move the following line from line 3 to the last provider entry: `security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider` 5. Renumber the security.provider entries and save the java.security file. 6. Restart the FileXpress server.
Additional Information	For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940

Alert	Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000)
Date Posted	June 2015 (Updated)
Summary	With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions.
Product Status	FileXpress Gateway 1.0 is subject to this vulnerability. This issue is addressed beginning in FileXpress Gateway 1.0 hotfix build 368. Maintained customers can download the latest hotfix from the Attachmate Downloads site. In new product installations, DH Group1 Key Exchanges are disabled by default. After upgrading an existing installation, disable Group1 Exchanges as follows: 1. Open the FileXpress Secure Shell Proxy Console from the Start menu. 2. Click Configuration > Encryption > Key Exchange and click the Restore pane defaults link. 3. Click Yes to reset then File > Save Settings.
Additional Information	For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000

Alert	Multiple OpenSSL Vulnerabilities
Summary	Multiple OpenSSL issues have been addressed in the latest OpenSSL version.
Date Posted and Version Affected	October 2014 – FileXpress Gateway 1.0 contains the latest OpenSSL Cryptographic Module that includes OpenSSL release 1.0.1i.
Additional Information	For vulnerability details, see: https://www.openssl.org/news/secadv_20150319.txt https://www.openssl.org/news/secadv_20140806.txt.

Alert	Multiple Oracle JRE Vulnerabilities
Summary	Multiple Oracle JRE issues have been addressed in the latest Oracle Java update.
Date Posted and Version Affected	January 2015 – Beginning in FileXpress Gateway 1.0 Hotfix 1 (version 1.0.0.360), JRE version 7 Update 75 is installed.
Additional Information	Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html.

Alert	RSA BSAFE SSL-J Vulnerability CVE-2014-4630
Date Posted	January 2015
Summary	EMC RSA BSAFE SSL-J before 6.1.4 does not ensure that a server’s X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a “triple handshake attack."
Product Status	FileXpress Gateway 1.0 (version 1.0.0.336) is not vulnerable to this attack but does contain the vulnerable module. Beginning in FileXpress Gateway 1.0 Hotfix 1 (version 1.0.0.360), the module has been updated with RSA BSAFE SSL-J 6.1.4. We recommend that you upgrade FileXpress Gateway to the latest hotfix. Maintained customers can download the latest hotfix from the Attachmate Downloads site.
Additional Information	For details and the latest information, see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4630.

Alert	OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted	April 2014
Summary	A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status	FileXpress products are not affected by this issue.
Additional Information	For details and the latest information on mitigations, see the following: US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951 National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

Alert	Vulnerability CVE-2013-0422
Date Posted	January 2013
Summary	Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.
Product Status	FileXpress products are not subject to this vulnerability.
Additional Information	For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert	Vulnerability CVE-2010-4252
Date Posted	June 2011
Summary	OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Product Status	FileXpress products are not affected by this OpenSSL issue.
Additional Information	For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252.

Alert	Vulnerability CVE-2010-4180
Date Posted	June 2011
Summary	OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Product Status	FileXpress products are not subject to this vulnerability.
Additional Information	For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180.

Alert	OpenSSL TLS Buffer Overflow Vulnerability CVE-2010-3864
Date Posted	February 2011
Summary	Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
Product Status	FileXpress products, are not subject to this vulnerability
Additional Information	For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864.

Alert	FTP Client Directory Traversal Vulnerability CVE-2010-3096
Date Posted	December 2010
Summary	Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename.
Product Status	FileXpress products are not subject to this vulnerability
Additional Information	For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096.

Alert	US-CERT Technical Cyber Security Alert TA10-238A
Date Posted	November 2010
Summary	Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
Product Status	FileXpress products are not subject to this vulnerability
Additional Information	For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.